search

V1D1AN / S1EM

This project is a SIEM with SIRP and Threat Intel, all in one.
MIT License
405 stars 78 forks source link

worker:failed to scan: File "/home/stoq/.stoq/plugins/lief/lief.py" #62

Closed Akityo closed 2 years ago

Akityo commented 2 years ago

Description

Environment

  1. OS (where S1EM server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }
  2. S1EM version: { e.g. S1EM 1.0.2 }
  3. Other environment details:

Reproducible Steps

image

Expected Output

Actual Output

Additional information

Screenshots (optional)

Akityo commented 2 years ago

{ "_index": "stoq-2022.06.08", "_type": "_doc", "_id": "D4dNRYEBmPdo5hcaph1t", "_version": 1, "_score": 1, "_source": { "errors": [ { "error": "worker:failed to scan: File \"/home/stoq/.stoq/plugins/lief/lief.py\", line 57, in scan ; lief.not_found: Manifest corrupted", "plugin_name": "lief", "payload_id": "11270a4a-7abc-4c46-bf04-906caebcec07" }, { "error": "worker:failed to scan: File \"/usr/local/lib/python3.7/concurrent/futures/thread.py\", line 57, in run ; yara.TimeoutError: scanning timed out", "plugin_name": "yara", "payload_id": "11270a4a-7abc-4c46-bf04-906caebcec07" }, { "error": "worker:failed to scan: File \"/usr/local/lib/python3.7/site-packages/pefile.py\", line 1852, in __parse__ ; pefile.PEFormatError: 'DOS Header magic not found.'", "plugin_name": "peinfo", "payload_id": "ad204412-1fc7-4f5c-b753-f8bb9e53c737" }, { "error": "worker:failed to scan: File \"/home/stoq/.stoq/plugins/lief/lief.py\", line 54, in scan ; stoq.exceptions.StoqPluginException: The file type isn't supported by LIEF", "plugin_name": "lief", "payload_id": "ad204412-1fc7-4f5c-b753-f8bb9e53c737" }, { "error": "worker:failed to scan: File \"/usr/local/lib/python3.7/concurrent/futures/thread.py\", line 57, in run ; yara.TimeoutError: scanning timed out", "plugin_name": "yara", "payload_id": "ad204412-1fc7-4f5c-b753-f8bb9e53c737" }, { "error": "archiver:failed to archive: File \"/usr/local/lib/python3.7/json/decoder.py\", line 355, in raw_decode ; json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)", "plugin_name": "mwdb", "payload_id": "11270a4a-7abc-4c46-bf04-906caebcec07" }, { "error": "archiver:failed to archive: File \"/usr/local/lib/python3.7/json/decoder.py\", line 355, in raw_decode ; json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)", "plugin_name": "mwdb", "payload_id": "ad204412-1fc7-4f5c-b753-f8bb9e53c737" } ], "scan_id": "b88b0f9e-5d61-4c5c-b4e5-f54d7e5d92fe", "results": { "plugins_run": { "archivers": [ "mwdb" ], "workers": [ "entropy", "iocextract", "peinfo", "clamav", "lief", "hash", "hash_ssdeep", "yara" ] }, "size": 104857600, "workers": { "peinfo": { "entrypoint": { "entry_point_string": "0x1000", "entry_point": 4096 }, "sections": [ { "md5": "e733f7040a7e038e400bbc991cd44714", "name": ".text\u0000\u0000\u0000", "sha1": "4a6ab5d0f35006a9fc167c6c375b76fdfb106303", "virtaddr": 4096, "virtsize": 12773, "entropy": 6.119852907175258, "raw_size": 12800, "sha256": "ee803baf64212a32e3c4c9d676b26d5e231e6c90d32d039537c1b7cb69a14e69" }, { "md5": "c4b5b1d23d9e1f24e162e1a5ec780959", "name": ".rdata\u0000\u0000", "sha1": "f3eace021a26c27e15f6f8a5f3ebfe6ca1996746", "virtaddr": 20480, "virtsize": 5708, "entropy": 4.088132543623405, "raw_size": 6144, "sha256": "deb4923b9c2b1eb3bcfaeb7f6f89d1327835d3c54986b07def0292b3f907d083" }, { "md5": "5aaef3eb6f45b36cc620121eaeb57361", "name": ".data\u0000\u0000\u0000", "sha1": "ee858fbf5645ca0f2bde6cee2f929dac7c80594a", "virtaddr": 28672, "virtsize": 208, "entropy": 0.837703062161795, "raw_size": 512, "sha256": "92dda01efe8e35262925c76d98b457bf0bba08dddbb9de52ef598939215242b1" }, { "md5": "d4d44b11494b6bbec5fd2ef8020b76db", "name": ".pdata\u0000\u0000", "sha1": "0576772d9624b461dba0505b283f1dab77b8c39a", "virtaddr": 32768, "virtsize": 756, "entropy": 3.2622616844025334, "raw_size": 1024, "sha256": "91db690fc48846ec17bda5e5f40f49ee5a4343d299959aefa439ab62f6140ba3" }, { "md5": "16f57dd8845af3f7942ae584a52164bc", "name": ".00cfg\u0000\u0000", "sha1": "8c815a6b5054749b19dd2168d5334e0d25ab38bf", "virtaddr": 36864, "virtsize": 40, "entropy": 0.311433480370671, "raw_size": 512, "sha256": "43534106e30a9c4af3b6b82d06507147edc2f4390e1f0c756171dcf5dcb478fe" }, { "md5": "6999d44a771942e41c0543aa01b6270d", "name": ".voltbl\u0000", "sha1": "efee2cc1d6a3d946a311984ead63b37fbddfcec3", "virtaddr": 40960, "virtsize": 12, "entropy": 0.22401940743984491, "raw_size": 512, "sha256": "a66c0ab3147dcc6b4ba189d522049e7723998a701dff524ba94e98d7dc91621f" }, { "md5": "7e15333d4627333db36e6c9457270393", "name": ".rsrc\u0000\u0000\u0000", "sha1": "fc4a2a3459aadf180a3c19b2d2c09b3e358f01a0", "virtaddr": 45056, "virtsize": 120774648, "entropy": 7.999997989688231, "raw_size": 120774656, "sha256": "bae167dfd69c5365f7fd23a2bf48d1aacc24b9c92342a9cfcf0e08b80c85e20d" }, { "md5": "d41d8cd98f00b204e9800998ecf8427e", "name": ".reloc\u0000\u0000", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "virtaddr": 120819712, "virtsize": 80, "entropy": 0, "raw_size": 512, "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" } ], "compile_time_epoch": 1652895910, "resources": [ { "address": 45572, "size": 119451628, "name": "resource_unknown_1033", "resource_id": 1033, "offset": 23044, "resource_type": "IMAGE_RESOURCE_DATA_ENTRY", "sub_language": "SUBLANG_ENGLISH_US", "filename": "resource_unknown_1033", "md5": "09549898e3f80516769198d77eed0cbc", "sha1": "744a06b6e25d7ce7d8eb1fe3a8f052246cfe9786", "language": "LANG_ENGLISH", "sha256": "1fdbeb23069993961cf66baf1c80963a32d1e0e9da5eaa797a458519da76aa31", "type": "unknown" }, { "address": 119497200, "size": 1319367, "name": "resource_unknown_1033", "resource_id": 1033, "offset": 119474672, "resource_type": "IMAGE_RESOURCE_DATA_ENTRY", "sub_language": "SUBLANG_ENGLISH_US", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "language": "LANG_ENGLISH", "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "type": "unknown" }, { "address": 120816568, "size": 744, "name": "resource_RT_ICON_1033", "resource_id": 1033, "offset": 120794040, "resource_type": "IMAGE_RESOURCE_DATA_ENTRY", "sub_language": "SUBLANG_ENGLISH_US", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "language": "LANG_ENGLISH", "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "type": "RT_ICON" }, { "address": 120817312, "size": 20, "name": "resource_RT_GROUP_ICON_1033", "resource_id": 1033, "offset": 120794784, "resource_type": "IMAGE_RESOURCE_DATA_ENTRY", "sub_language": "SUBLANG_ENGLISH_US", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "language": "LANG_ENGLISH", "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "type": "RT_GROUP_ICON" }, { "address": 120817332, "size": 1196, "name": "resource_RT_VERSION_1033", "resource_id": 1033, "offset": 120794804, "resource_type": "IMAGE_RESOURCE_DATA_ENTRY", "sub_language": "SUBLANG_ENGLISH_US", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "language": "LANG_ENGLISH", "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "type": "RT_VERSION" }, { "address": 120818528, "size": 1175, "name": "resource_RT_MANIFEST_1033", "resource_id": 1033, "offset": 120796000, "resource_type": "IMAGE_RESOURCE_DATA_ENTRY", "sub_language": "SUBLANG_ENGLISH_US", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "language": "LANG_ENGLISH", "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "type": "RT_MANIFEST" } ], "imphash": "a3133d4cdb1fa8965c35bc3678b5ce95", "is_packed": true, "imports": { "KERNEL32.dll": [ "CloseHandle", "CreateDirectoryW", "CreateFileW", "CreateProcessW", "DosDateTimeToFileTime", "DuplicateHandle", "EnumResourceNamesW", "ExitProcess", "ExpandEnvironmentStringsW", "FindResourceW", "FreeLibrary", "GetCommandLineW", "GetCurrentProcess", "GetEnvironmentVariableW", "GetExitCodeProcess", "GetFileAttributesW", "GetFileInformationByHandleEx", "GetLastError", "GetModuleFileNameW", "GetModuleHandleW", "GetProcAddress", "GetProcessHeap", "GetSystemInfo", "GetVolumeInformationW", "GetVolumePathNameW", "HeapAlloc", "HeapFree", "LoadLibraryExA", "LoadLibraryExW", "LoadResource", "LocalAlloc", "LocalFileTimeToFileTime", "LocalFree", "LockResource", "MultiByteToWideChar", "RaiseException", "ReadFile", "SetFileInformationByHandle", "SetFilePointer", "SetLastError", "SetProcessWorkingSetSize", "SizeofResource", "Sleep", "VirtualProtect", "VirtualQuery", "WaitForSingleObject", "WideCharToMultiByte", "WriteFile", "lstrcmpiW", "lstrlenW" ], "SHELL32.dll": [ "CommandLineToArgvW" ] }, "image_base": { "image_base": 5368709120, "image_base_string": "0x140000000" }, "compile_time": "2022-05-18 17:45:10", "debug_info": [ { "DebugPDB": "mini_installer.exe.pdb", "DebugGUID": "b'd2301cb2'-b'760b3877'-b'4c4c4420'-b'5044422e'", "SizeOfData": 47, "MajorVersion": 0, "DebugSig": "RSDS", "TimeDateString": "2022-05-18 17:45:10", "Type": 2, "TimeDateStamp": 1652895910, "DebugAge": 1, "MinorVersion": 0 } ], "is_exe": true }, "iocextract": { "ipv6": [ "::6", "B::1", "::c", "cb::", "9::", "::C", "1::", "::B", "::E", "::A5", "3::", "D::", "b::", "c::B", "::0", "::F", "F2::", "66c::", "b::4", "::4", "B::", "3F::", "::b", "1::D1", "BCc::", "::8", "::d", "7::", "::a5", "E6::", "f::", "::A0", "::a", "::e", "::f", "c::61", "E::", "d::", "4::", "::5", "2::", "Cb::", "d4::", "::D", "::1", "::cA", "::3", "::2", "ab::", "5::", "::D1", "e::", "6::", "c::", "::5C", "C::", "::7", "F::", "::9", "8::", "cd::", "d::D", "bE::", "0::", "c::C", "Ce::", "d::a", "EF::", "::82", "bc3::", "C7E::", "::2b", "::A" ], "domain": [ "rs.cg", "k2.la", "07.cu", "qy.gn", "btr.do", "jny.ax", "lo.ai", "yr.hm", "m7.si", "h4.tc", "cb.mt", "p-.su", "vyrae.vg", "il.lt", "g4.mp", "bq.us", "uo.ao", "xne.mo", "tw.st", "er.ls", "1b9.wf", "0z.kn", "dh.bn", "8i.tw", "js.ga", "ij9.ar", "l7.sr", "d3.mu", "cn.gn", "sp.nr", "ve.km", "dr.fm", "ww.tn", "o1s.cw", "oh.gq", "ql.tt", "y7.aq", "vw.re", "mc.tj", "v-.de", "ja2.cr", "4r.mg", "j3.sa", "xb.gl", "cu.mm", "4c.om", "lk.cd", "eg.gr", "wx.mq", "xk.bd", "bn.hr", "1j.bi", "b4.by", "zl.eg", "nv.ro", "8s.nl", "bx.bd", "qaguz.bj", "iw.zm", "ne.mo", "vn.ng", "il.zw", "gy.sg", "udt.za", "d8.lt", "y3.dz", "o33.wf", "ip.bw", "ys.mo", "jm.ch", "ojv5.kr", "a6.bm", "8g.tr", "sh.nr", "nqj.bd", "vwt.gg", "4hz.dj", "jq.ht", "d0.gw", "tin.et", "og.cw", "u6.km", "zv.vn", "fg.re", "xh.it", "i7.py", "j3.rs", "fo.mz", "u2.sj", "ug.mn", "hb.ag", "ke.us", "usc.my", "rw.bg", "2h.ai", "dj.ch", "9dp.fj", "y2.to", "2s.mc", "pldds.hr", "rd.bm", "vx.ki", "-q.gs", "l-.pg", "o4.to", "zq.eg", "wi.cn", "no.ss", "8r.mv", "o3.eu", "6f.kr", "fm.gg", "u7e.st", "epek.li", "jk.co", "az.ae", "fs.mw", "8g.ad", "rm.zm", "lv.ki", "iua.ai", "dd.kp", "0e.ch", "gt.sx", "ss.sc", "xqv.tc", "qg.qa", "09.mx", "tjv.sk", "0l.re", "ci-.jo", "nfm.sa", "l8.se", "5fht.am", "oqh.bw", "aw.bg", "run.mo", "zz.fm", "ui.tc", "vy.cv", "gl.dj", "zfy.ss", "sf.bn", "4jn.cy", "eq1.tr", "m8.gl", "uaz.jm", "d7o.sg", "ec.ao", "ji.il", "7a.ga", "j7.ye", "9g.gl", "pf.mr", "9i.mc", "cf.bd", "lvp.fo", "oe.rw", "dx.ki", "0bcb.su", "do.ro", "tg.qa", "xd.zw", "be.pe", "zk.hu", "rb.me", "si.ss", "nwcc.es", "lj.vu", "qv.ca", "jm.gq", "ot.gs", "ig.mt", "as.af", "py.sc", "5e.cw", "bd.vu", "2twp.si", "x3h.pn", "y8-l.vi", "44xe.is", "a6.tw", "gpg.mn", "sm.cf", "ot.ve", "a0y4.ng", "wu.np", "mo.rs", "fs.cz", "wpdh.pw", "1m.cm", "hg.nz", "ss.gr", "ia.sl", "8q.bt", "6m.fm", "rp.nc", "pk.gi", "z5.je", "pvrh0p.ax", "k4.gu", "be.se", "b4s.je", "tc.ht", "uh.sk", "1n.cg", "l1.sc", "8c.py", "qz.sg", "yu.de", "dt.vc", "yki.jp", "53.cv", "g6.lk", "0r.kz", "qp.sl", "cd.pf", "sm.bm", "rg.ai", "n8.gy", "yyk.vi", "pnxs.rw", "p-.li", "vg-.gf", "1u6.ck", "bn.vi", "a3s.vg", "qy.am", "ck.kz", "rf.cn", "bj.es", "wn.im", "qb.mh", "vd.cd", "3d.gh", "rp.gw", "soolni.mz", "l6.ma", "fz.hu", "aa.cal", "y2.gi", "d9i.et", "z2.tz", "fbk.me", "eu1.bd", "xl.ma", "br.se", "3c.td", "nz.sn", "kmzq.au", "fjzl.kn", "wj.cg", "iphar.nf", "yuv.ma", "3nh.fk", "pv.ph", "r-p.nr", "db.us", "lf.bg", "o-.lu" ] }, "hash": { "sha256": "2e3e8c74c31072df7d07c651931fecd2a5ef24bf0d3ce89090b19922c86ab121", "md5": "aefd8c172e5736525d2639354eda8d31", "sha1": "76174d8ce477634d423fde5965f814cebee19a1b" }, "hash_ssdeep": { "ssdeep": "1572864:AWoCTKXRk8c1wh7Xao+1tgGL0Fgru/vGT/k2ST1sIj0MoRqm4ap/QU9Yh2Mb:dKhx5XarrLwV3Gw2SRsRlD9QUysMb" }, "entropy": { "entropy": 7.999995969241542 } }, "archivers": {}, "payload_meta": { "extra_data": { "filename": "HTTP-FOATsI3gRfSaHeitAh.exe", "source_dir": "/files" }, "should_scan": true, "should_archive": true, "dispatch_to": [] }, "extracted_from": [], "payload_id": "11270a4a-7abc-4c46-bf04-906caebcec07", "extracted_by": [] }, "decorators": {}, "path": "/var/log/stoq/b88b0f9e-5d61-4c5c-b4e5-f54d7e5d92fe", "event.action": "scan", "@version": "1", "time": "2022-06-08T21:51:54.163720", "host.name": "logstash", "request_meta": { "archive_payloads": true, "extra_data": {}, "source": null }, "@timestamp": "2022-06-08T21:52:05.633Z", "event.module": "stoq" }, "fields": { "results.workers.peinfo.debug_info.DebugAge": [ 1 ], "errors.payload_id.keyword": [ "11270a4a-7abc-4c46-bf04-906caebcec07", "11270a4a-7abc-4c46-bf04-906caebcec07", "ad204412-1fc7-4f5c-b753-f8bb9e53c737", "ad204412-1fc7-4f5c-b753-f8bb9e53c737", "ad204412-1fc7-4f5c-b753-f8bb9e53c737", "11270a4a-7abc-4c46-bf04-906caebcec07", "ad204412-1fc7-4f5c-b753-f8bb9e53c737" ], "results.plugins_run.workers": [ "entropy", "iocextract", "peinfo", "clamav", "lief", "hash", "hash_ssdeep", "yara" ], "results.workers.peinfo.is_packed": [ true ], "host.name.keyword": [ "logstash" ], "results.workers.hash_ssdeep.ssdeep": [ "1572864:AWoCTKXRk8c1wh7Xao+1tgGL0Fgru/vGT/k2ST1sIj0MoRqm4ap/QU9Yh2Mb:dKhx5XarrLwV3Gw2SRsRlD9QUysMb" ], "path": [ "/var/log/stoq/b88b0f9e-5d61-4c5c-b4e5-f54d7e5d92fe" ], "results.workers.peinfo.resources.sha256.keyword": [ "1fdbeb23069993961cf66baf1c80963a32d1e0e9da5eaa797a458519da76aa31", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ], "results.payload_meta.should_archive": [ true ], "results.workers.peinfo.imports.KERNEL32.dll": [ "CloseHandle", "CreateDirectoryW", "CreateFileW", "CreateProcessW", "DosDateTimeToFileTime", "DuplicateHandle", "EnumResourceNamesW", "ExitProcess", "ExpandEnvironmentStringsW", "FindResourceW", "FreeLibrary", "GetCommandLineW", "GetCurrentProcess", "GetEnvironmentVariableW", "GetExitCodeProcess", "GetFileAttributesW", "GetFileInformationByHandleEx", "GetLastError", "GetModuleFileNameW", "GetModuleHandleW", "GetProcAddress", "GetProcessHeap", "GetSystemInfo", "GetVolumeInformationW", "GetVolumePathNameW", "HeapAlloc", "HeapFree", "LoadLibraryExA", "LoadLibraryExW", "LoadResource", "LocalAlloc", "LocalFileTimeToFileTime", "LocalFree", "LockResource", "MultiByteToWideChar", "RaiseException", "ReadFile", "SetFileInformationByHandle", "SetFilePointer", "SetLastError", "SetProcessWorkingSetSize", "SizeofResource", "Sleep", "VirtualProtect", "VirtualQuery", "WaitForSingleObject", "WideCharToMultiByte", "WriteFile", "lstrcmpiW", "lstrlenW" ], "results.workers.peinfo.resources.language": [ "LANG_ENGLISH", "LANG_ENGLISH", "LANG_ENGLISH", "LANG_ENGLISH", "LANG_ENGLISH", "LANG_ENGLISH" ], "results.workers.peinfo.debug_info.TimeDateString": [ "2022-05-18 17:45:10" ], "results.payload_meta.should_scan": [ true ], "results.workers.peinfo.resources.md5": [ "09549898e3f80516769198d77eed0cbc", "d41d8cd98f00b204e9800998ecf8427e", "d41d8cd98f00b204e9800998ecf8427e", "d41d8cd98f00b204e9800998ecf8427e", "d41d8cd98f00b204e9800998ecf8427e", "d41d8cd98f00b204e9800998ecf8427e" ], "results.workers.peinfo.entrypoint.entry_point_string.keyword": [ "0x1000" ], "results.size": [ 104857600 ], "results.workers.hash.sha1.keyword": [ "76174d8ce477634d423fde5965f814cebee19a1b" ], "results.payload_meta.extra_data.source_dir": [ "/files" ], "results.workers.peinfo.resources.name.keyword": [ "resource_unknown_1033", "resource_unknown_1033", "resource_RT_ICON_1033", "resource_RT_GROUP_ICON_1033", "resource_RT_VERSION_1033", "resource_RT_MANIFEST_1033" ], "results.workers.peinfo.resources.sha1": [ "744a06b6e25d7ce7d8eb1fe3a8f052246cfe9786", "da39a3ee5e6b4b0d3255bfef95601890afd80709", "da39a3ee5e6b4b0d3255bfef95601890afd80709", "da39a3ee5e6b4b0d3255bfef95601890afd80709", "da39a3ee5e6b4b0d3255bfef95601890afd80709", "da39a3ee5e6b4b0d3255bfef95601890afd80709" ], "results.workers.peinfo.debug_info.DebugPDB": [ "mini_installer.exe.pdb" ], "results.workers.entropy.entropy": [ 7.999996 ], "results.workers.peinfo.resources.sub_language.keyword": [ "SUBLANG_ENGLISH_US", "SUBLANG_ENGLISH_US", "SUBLANG_ENGLISH_US", "SUBLANG_ENGLISH_US", "SUBLANG_ENGLISH_US", "SUBLANG_ENGLISH_US" ], "results.workers.peinfo.resources.size": [ 119451628, 1319367, 744, 20, 1196, 1175 ], "results.workers.peinfo.compile_time": [ "2022-05-18 17:45:10" ], "results.workers.peinfo.sections.virtsize": [ 12773, 5708, 208, 756, 40, 12, 120774648, 80 ], "errors.plugin_name.keyword": [ "lief", "yara", "peinfo", "lief", "yara", "mwdb", "mwdb" ], "errors.plugin_name": [ "lief", "yara", "peinfo", "lief", "yara", "mwdb", "mwdb" ], "results.workers.peinfo.entrypoint.entry_point_string": [ "0x1000" ], "results.payload_id": [ "11270a4a-7abc-4c46-bf04-906caebcec07" ], "results.workers.peinfo.debug_info.MajorVersion": [ 0 ], "results.workers.peinfo.sections.sha256.keyword": [ "ee803baf64212a32e3c4c9d676b26d5e231e6c90d32d039537c1b7cb69a14e69", "deb4923b9c2b1eb3bcfaeb7f6f89d1327835d3c54986b07def0292b3f907d083", "92dda01efe8e35262925c76d98b457bf0bba08dddbb9de52ef598939215242b1", "91db690fc48846ec17bda5e5f40f49ee5a4343d299959aefa439ab62f6140ba3", "43534106e30a9c4af3b6b82d06507147edc2f4390e1f0c756171dcf5dcb478fe", "a66c0ab3147dcc6b4ba189d522049e7723998a701dff524ba94e98d7dc91621f", "bae167dfd69c5365f7fd23a2bf48d1aacc24b9c92342a9cfcf0e08b80c85e20d", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ], "results.workers.peinfo.resources.address": [ 45572, 119497200, 120816568, 120817312, 120817332, 120818528 ], "results.workers.peinfo.debug_info.TimeDateString.keyword": [ "2022-05-18 17:45:10" ], "results.plugins_run.archivers": [ "mwdb" ], "results.workers.peinfo.sections.sha256": [ "ee803baf64212a32e3c4c9d676b26d5e231e6c90d32d039537c1b7cb69a14e69", "deb4923b9c2b1eb3bcfaeb7f6f89d1327835d3c54986b07def0292b3f907d083", "92dda01efe8e35262925c76d98b457bf0bba08dddbb9de52ef598939215242b1", "91db690fc48846ec17bda5e5f40f49ee5a4343d299959aefa439ab62f6140ba3", "43534106e30a9c4af3b6b82d06507147edc2f4390e1f0c756171dcf5dcb478fe", "a66c0ab3147dcc6b4ba189d522049e7723998a701dff524ba94e98d7dc91621f", "bae167dfd69c5365f7fd23a2bf48d1aacc24b9c92342a9cfcf0e08b80c85e20d", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ], "results.workers.peinfo.compile_time_epoch": [ 1652895910 ], "errors.error.keyword": [ "worker:failed to scan: File \"/home/stoq/.stoq/plugins/lief/lief.py\", line 57, in scan ; lief.not_found: Manifest corrupted", "worker:failed to scan: File \"/usr/local/lib/python3.7/concurrent/futures/thread.py\", line 57, in run ; yara.TimeoutError: scanning timed out", "worker:failed to scan: File \"/usr/local/lib/python3.7/site-packages/pefile.py\", line 1852, in __parse__ ; pefile.PEFormatError: 'DOS Header magic not found.'", "worker:failed to scan: File \"/home/stoq/.stoq/plugins/lief/lief.py\", line 54, in scan ; stoq.exceptions.StoqPluginException: The file type isn't supported by LIEF", "worker:failed to scan: File \"/usr/local/lib/python3.7/concurrent/futures/thread.py\", line 57, in run ; yara.TimeoutError: scanning timed out", "archiver:failed to archive: File \"/usr/local/lib/python3.7/json/decoder.py\", line 355, in raw_decode ; json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)", "archiver:failed to archive: File \"/usr/local/lib/python3.7/json/decoder.py\", line 355, in raw_decode ; json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)" ], "results.workers.peinfo.resources.resource_id": [ 1033, 1033, 1033, 1033, 1033, 1033 ], "results.plugins_run.workers.keyword": [ "entropy", "iocextract", "peinfo", "clamav", "lief", "hash", "hash_ssdeep", "yara" ], "results.workers.peinfo.resources.sha1.keyword": [ "744a06b6e25d7ce7d8eb1fe3a8f052246cfe9786", "da39a3ee5e6b4b0d3255bfef95601890afd80709", "da39a3ee5e6b4b0d3255bfef95601890afd80709", "da39a3ee5e6b4b0d3255bfef95601890afd80709", "da39a3ee5e6b4b0d3255bfef95601890afd80709", "da39a3ee5e6b4b0d3255bfef95601890afd80709" ], "results.workers.peinfo.sections.virtaddr": [ 4096, 20480, 28672, 32768, 36864, 40960, 45056, 120819712 ], "results.workers.peinfo.sections.md5.keyword": [ "e733f7040a7e038e400bbc991cd44714", "c4b5b1d23d9e1f24e162e1a5ec780959", "5aaef3eb6f45b36cc620121eaeb57361", "d4d44b11494b6bbec5fd2ef8020b76db", "16f57dd8845af3f7942ae584a52164bc", "6999d44a771942e41c0543aa01b6270d", "7e15333d4627333db36e6c9457270393", "d41d8cd98f00b204e9800998ecf8427e" ], "results.workers.peinfo.is_exe": [ true ], "results.workers.peinfo.sections.name": [ ".text\u0000\u0000\u0000", ".rdata\u0000\u0000", ".data\u0000\u0000\u0000", ".pdata\u0000\u0000", ".00cfg\u0000\u0000", ".voltbl\u0000", ".rsrc\u0000\u0000\u0000", ".reloc\u0000\u0000" ], "results.workers.hash.sha256": [ "2e3e8c74c31072df7d07c651931fecd2a5ef24bf0d3ce89090b19922c86ab121" ], "results.workers.peinfo.imports.KERNEL32.dll.keyword": [ "CloseHandle", "CreateDirectoryW", "CreateFileW", "CreateProcessW", "DosDateTimeToFileTime", "DuplicateHandle", "EnumResourceNamesW", "ExitProcess", "ExpandEnvironmentStringsW", "FindResourceW", "FreeLibrary", "GetCommandLineW", "GetCurrentProcess", "GetEnvironmentVariableW", "GetExitCodeProcess", "GetFileAttributesW", "GetFileInformationByHandleEx", "GetLastError", "GetModuleFileNameW", "GetModuleHandleW", "GetProcAddress", "GetProcessHeap", "GetSystemInfo", "GetVolumeInformationW", "GetVolumePathNameW", "HeapAlloc", "HeapFree", "LoadLibraryExA", "LoadLibraryExW", "LoadResource", "LocalAlloc", "LocalFileTimeToFileTime", "LocalFree", "LockResource", "MultiByteToWideChar", "RaiseException", "ReadFile", "SetFileInformationByHandle", "SetFilePointer", "SetLastError", "SetProcessWorkingSetSize", "SizeofResource", "Sleep", "VirtualProtect", "VirtualQuery", "WaitForSingleObject", "WideCharToMultiByte", "WriteFile", "lstrcmpiW", "lstrlenW" ], "results.workers.peinfo.image_base.image_base": [ 5368709120 ], "results.workers.peinfo.debug_info.DebugSig.keyword": [ "RSDS" ], "request_meta.archive_payloads": [ true ], "results.workers.peinfo.resources.filename": [ "resource_unknown_1033" ], "errors.payload_id": [ "11270a4a-7abc-4c46-bf04-906caebcec07", "11270a4a-7abc-4c46-bf04-906caebcec07", "ad204412-1fc7-4f5c-b753-f8bb9e53c737", "ad204412-1fc7-4f5c-b753-f8bb9e53c737", "ad204412-1fc7-4f5c-b753-f8bb9e53c737", "11270a4a-7abc-4c46-bf04-906caebcec07", "ad204412-1fc7-4f5c-b753-f8bb9e53c737" ], "results.workers.peinfo.debug_info.TimeDateStamp": [ 1652895910 ], "event.action": [ "scan" ], "results.workers.iocextract.domain": [ "rs.cg", "k2.la", "07.cu", "qy.gn", "btr.do", "jny.ax", "lo.ai", "yr.hm", "m7.si", "h4.tc", "cb.mt", "p-.su", "vyrae.vg", "il.lt", "g4.mp", "bq.us", "uo.ao", "xne.mo", "tw.st", "er.ls", "1b9.wf", "0z.kn", "dh.bn", "8i.tw", "js.ga", "ij9.ar", "l7.sr", "d3.mu", "cn.gn", "sp.nr", "ve.km", "dr.fm", "ww.tn", "o1s.cw", "oh.gq", "ql.tt", "y7.aq", "vw.re", "mc.tj", "v-.de", "ja2.cr", "4r.mg", "j3.sa", "xb.gl", "cu.mm", "4c.om", "lk.cd", "eg.gr", "wx.mq", "xk.bd", "bn.hr", "1j.bi", "b4.by", "zl.eg", "nv.ro", "8s.nl", "bx.bd", "qaguz.bj", "iw.zm", "ne.mo", "vn.ng", "il.zw", "gy.sg", "udt.za", "d8.lt", "y3.dz", "o33.wf", "ip.bw", "ys.mo", "jm.ch", "ojv5.kr", "a6.bm", "8g.tr", "sh.nr", "nqj.bd", "vwt.gg", "4hz.dj", "jq.ht", "d0.gw", "tin.et", "og.cw", "u6.km", "zv.vn", "fg.re", "xh.it", "i7.py", "j3.rs", "fo.mz", "u2.sj", "ug.mn", "hb.ag", "ke.us", "usc.my", "rw.bg", "2h.ai", "dj.ch", "9dp.fj", "y2.to", "2s.mc", "pldds.hr", "rd.bm", "vx.ki", "-q.gs", "l-.pg", "o4.to", "zq.eg", "wi.cn", "no.ss", "8r.mv", "o3.eu", "6f.kr", "fm.gg", "u7e.st", "epek.li", "jk.co", "az.ae", "fs.mw", "8g.ad", "rm.zm", "lv.ki", "iua.ai", "dd.kp", "0e.ch", "gt.sx", "ss.sc", "xqv.tc", "qg.qa", "09.mx", "tjv.sk", "0l.re", "ci-.jo", "nfm.sa", "l8.se", "5fht.am", "oqh.bw", "aw.bg", "run.mo", "zz.fm", "ui.tc", "vy.cv", "gl.dj", "zfy.ss", "sf.bn", "4jn.cy", "eq1.tr", "m8.gl", "uaz.jm", "d7o.sg", "ec.ao", "ji.il", "7a.ga", "j7.ye", "9g.gl", "pf.mr", "9i.mc", "cf.bd", "lvp.fo", "oe.rw", "dx.ki", "0bcb.su", "do.ro", "tg.qa", "xd.zw", "be.pe", "zk.hu", "rb.me", "si.ss", "nwcc.es", "lj.vu", "qv.ca", "jm.gq", "ot.gs", "ig.mt", "as.af", "py.sc", "5e.cw", "bd.vu", "2twp.si", "x3h.pn", "y8-l.vi", "44xe.is", "a6.tw", "gpg.mn", "sm.cf", "ot.ve", "a0y4.ng", "wu.np", "mo.rs", "fs.cz", "wpdh.pw", "1m.cm", "hg.nz", "ss.gr", "ia.sl", "8q.bt", "6m.fm", "rp.nc", "pk.gi", "z5.je", "pvrh0p.ax", "k4.gu", "be.se", "b4s.je", "tc.ht", "uh.sk", "1n.cg", "l1.sc", "8c.py", "qz.sg", "yu.de", "dt.vc", "yki.jp", "53.cv", "g6.lk", "0r.kz", "qp.sl", "cd.pf", "sm.bm", "rg.ai", "n8.gy", "yyk.vi", "pnxs.rw", "p-.li", "vg-.gf", "1u6.ck", "bn.vi", "a3s.vg", "qy.am", "ck.kz", "rf.cn", "bj.es", "wn.im", "qb.mh", "vd.cd", "3d.gh", "rp.gw", "soolni.mz", "l6.ma", "fz.hu", "aa.cal", "y2.gi", "d9i.et", "z2.tz", "fbk.me", "eu1.bd", "xl.ma", "br.se", "3c.td", "nz.sn", "kmzq.au", "fjzl.kn", "wj.cg", "iphar.nf", "yuv.ma", "3nh.fk", "pv.ph", "r-p.nr", "db.us", "lf.bg", "o-.lu" ], "@timestamp": [ "2022-06-08T21:52:05.633Z" ], "results.payload_meta.extra_data.filename": [ "HTTP-FOATsI3gRfSaHeitAh.exe" ], "results.workers.peinfo.debug_info.DebugPDB.keyword": [ "mini_installer.exe.pdb" ], "path.keyword": [ "/var/log/stoq/b88b0f9e-5d61-4c5c-b4e5-f54d7e5d92fe" ], "results.workers.peinfo.compile_time.keyword": [ "2022-05-18 17:45:10" ], "errors.error": [ "worker:failed to scan: File \"/home/stoq/.stoq/plugins/lief/lief.py\", line 57, in scan ; lief.not_found: Manifest corrupted", "worker:failed to scan: File \"/usr/local/lib/python3.7/concurrent/futures/thread.py\", line 57, in run ; yara.TimeoutError: scanning timed out", "worker:failed to scan: File \"/usr/local/lib/python3.7/site-packages/pefile.py\", line 1852, in __parse__ ; pefile.PEFormatError: 'DOS Header magic not found.'", "worker:failed to scan: File \"/home/stoq/.stoq/plugins/lief/lief.py\", line 54, in scan ; stoq.exceptions.StoqPluginException: The file type isn't supported by LIEF", "worker:failed to scan: File \"/usr/local/lib/python3.7/concurrent/futures/thread.py\", line 57, in run ; yara.TimeoutError: scanning timed out", "archiver:failed to archive: File \"/usr/local/lib/python3.7/json/decoder.py\", line 355, in raw_decode ; json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)", "archiver:failed to archive: File \"/usr/local/lib/python3.7/json/decoder.py\", line 355, in raw_decode ; json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)" ], "results.workers.peinfo.debug_info.MinorVersion": [ 0 ], "results.workers.peinfo.resources.filename.keyword": [ "resource_unknown_1033" ], "results.payload_meta.extra_data.filename.keyword": [ "HTTP-FOATsI3gRfSaHeitAh.exe" ], "results.workers.peinfo.resources.sub_language": [ "SUBLANG_ENGLISH_US", "SUBLANG_ENGLISH_US", "SUBLANG_ENGLISH_US", "SUBLANG_ENGLISH_US", "SUBLANG_ENGLISH_US", "SUBLANG_ENGLISH_US" ], "results.plugins_run.archivers.keyword": [ "mwdb" ], "results.workers.peinfo.debug_info.DebugGUID": [ "b'd2301cb2'-b'760b3877'-b'4c4c4420'-b'5044422e'" ], "results.workers.hash.md5": [ "aefd8c172e5736525d2639354eda8d31" ], "results.workers.hash.sha256.keyword": [ "2e3e8c74c31072df7d07c651931fecd2a5ef24bf0d3ce89090b19922c86ab121" ], "results.workers.peinfo.sections.raw_size": [ 12800, 6144, 512, 1024, 512, 512, 120774656, 512 ], "results.payload_id.keyword": [ "11270a4a-7abc-4c46-bf04-906caebcec07" ], "event.action.keyword": [ "scan" ], "results.workers.peinfo.sections.sha1.keyword": [ "4a6ab5d0f35006a9fc167c6c375b76fdfb106303", "f3eace021a26c27e15f6f8a5f3ebfe6ca1996746", "ee858fbf5645ca0f2bde6cee2f929dac7c80594a", "0576772d9624b461dba0505b283f1dab77b8c39a", "8c815a6b5054749b19dd2168d5334e0d25ab38bf", "efee2cc1d6a3d946a311984ead63b37fbddfcec3", "fc4a2a3459aadf180a3c19b2d2c09b3e358f01a0", "da39a3ee5e6b4b0d3255bfef95601890afd80709" ], "host.name": [ "logstash" ], "results.workers.peinfo.imports.SHELL32.dll": [ "CommandLineToArgvW" ], "@version.keyword": [ "1" ], "results.payload_meta.extra_data.source_dir.keyword": [ "/files" ], "results.workers.peinfo.resources.resource_type.keyword": [ "IMAGE_RESOURCE_DATA_ENTRY", "IMAGE_RESOURCE_DATA_ENTRY", "IMAGE_RESOURCE_DATA_ENTRY", "IMAGE_RESOURCE_DATA_ENTRY", "IMAGE_RESOURCE_DATA_ENTRY", "IMAGE_RESOURCE_DATA_ENTRY" ], "results.workers.peinfo.resources.offset": [ 23044, 119474672, 120794040, 120794784, 120794804, 120796000 ], "results.workers.peinfo.resources.md5.keyword": [ "09549898e3f80516769198d77eed0cbc", "d41d8cd98f00b204e9800998ecf8427e", "d41d8cd98f00b204e9800998ecf8427e", "d41d8cd98f00b204e9800998ecf8427e", "d41d8cd98f00b204e9800998ecf8427e", "d41d8cd98f00b204e9800998ecf8427e" ], "results.workers.peinfo.sections.name.keyword": [ ".text\u0000\u0000\u0000", ".rdata\u0000\u0000", ".data\u0000\u0000\u0000", ".pdata\u0000\u0000", ".00cfg\u0000\u0000", ".voltbl\u0000", ".rsrc\u0000\u0000\u0000", ".reloc\u0000\u0000" ], "event.module.keyword": [ "stoq" ], "results.workers.peinfo.resources.name": [ "resource_unknown_1033", "resource_unknown_1033", "resource_RT_ICON_1033", "resource_RT_GROUP_ICON_1033", "resource_RT_VERSION_1033", "resource_RT_MANIFEST_1033" ], "results.workers.peinfo.image_base.image_base_string": [ "0x140000000" ], "results.workers.peinfo.resources.sha256": [ "1fdbeb23069993961cf66baf1c80963a32d1e0e9da5eaa797a458519da76aa31", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ], "results.workers.iocextract.ipv6": [ "::6", "B::1", "::c", "cb::", "9::", "::C", "1::", "::B", "::E", "::A5", "3::", "D::", "b::", "c::B", "::0", "::F", "F2::", "66c::", "b::4", "::4", "B::", "3F::", "::b", "1::D1", "BCc::", "::8", "::d", "7::", "::a5", "E6::", "f::", "::A0", "::a", "::e", "::f", "c::61", "E::", "d::", "4::", "::5", "2::", "Cb::", "d4::", "::D", "::1", "::cA", "::3", "::2", "ab::", "5::", "::D1", "e::", "6::", "c::", "::5C", "C::", "::7", "F::", "::9", "8::", "cd::", "d::D", "bE::", "0::", "c::C", "Ce::", "d::a", "EF::", "::82", "bc3::", "C7E::", "::2b", "::A" ], "results.workers.peinfo.sections.md5": [ "e733f7040a7e038e400bbc991cd44714", "c4b5b1d23d9e1f24e162e1a5ec780959", "5aaef3eb6f45b36cc620121eaeb57361", "d4d44b11494b6bbec5fd2ef8020b76db", "16f57dd8845af3f7942ae584a52164bc", "6999d44a771942e41c0543aa01b6270d", "7e15333d4627333db36e6c9457270393", "d41d8cd98f00b204e9800998ecf8427e" ], "results.workers.peinfo.resources.type": [ "unknown", "unknown", "RT_ICON", "RT_GROUP_ICON", "RT_VERSION", "RT_MANIFEST" ], "results.workers.peinfo.resources.type.keyword": [ "unknown", "unknown", "RT_ICON", "RT_GROUP_ICON", "RT_VERSION", "RT_MANIFEST" ], "results.workers.peinfo.imphash.keyword": [ "a3133d4cdb1fa8965c35bc3678b5ce95" ], "results.workers.hash.sha1": [ "76174d8ce477634d423fde5965f814cebee19a1b" ], "results.workers.iocextract.ipv6.keyword": [ "::6", "B::1", "::c", "cb::", "9::", "::C", "1::", "::B", "::E", "::A5", "3::", "D::", "b::", "c::B", "::0", "::F", "F2::", "66c::", "b::4", "::4", "B::", "3F::", "::b", "1::D1", "BCc::", "::8", "::d", "7::", "::a5", "E6::", "f::", "::A0", "::a", "::e", "::f", "c::61", "E::", "d::", "4::", "::5", "2::", "Cb::", "d4::", "::D", "::1", "::cA", "::3", "::2", "ab::", "5::", "::D1", "e::", "6::", "c::", "::5C", "C::", "::7", "F::", "::9", "8::", "cd::", "d::D", "bE::", "0::", "c::C", "Ce::", "d::a", "EF::", "::82", "bc3::", "C7E::", "::2b", "::A" ], "results.workers.peinfo.entrypoint.entry_point": [ 4096 ], "event.module": [ "stoq" ], "results.workers.hash.md5.keyword": [ "aefd8c172e5736525d2639354eda8d31" ], "@version": [ "1" ], "results.workers.peinfo.sections.sha1": [ "4a6ab5d0f35006a9fc167c6c375b76fdfb106303", "f3eace021a26c27e15f6f8a5f3ebfe6ca1996746", "ee858fbf5645ca0f2bde6cee2f929dac7c80594a", "0576772d9624b461dba0505b283f1dab77b8c39a", "8c815a6b5054749b19dd2168d5334e0d25ab38bf", "efee2cc1d6a3d946a311984ead63b37fbddfcec3", "fc4a2a3459aadf180a3c19b2d2c09b3e358f01a0", "da39a3ee5e6b4b0d3255bfef95601890afd80709" ], "results.workers.peinfo.debug_info.DebugSig": [ "RSDS" ], "results.workers.peinfo.imphash": [ "a3133d4cdb1fa8965c35bc3678b5ce95" ], "results.workers.peinfo.imports.SHELL32.dll.keyword": [ "CommandLineToArgvW" ], "results.workers.peinfo.sections.entropy": [ 6.119853, 4.0881324, 0.83770305, 3.2622616, 0.3114335, 0.22401941, 7.999998, 0 ], "scan_id.keyword": [ "b88b0f9e-5d61-4c5c-b4e5-f54d7e5d92fe" ], "results.workers.peinfo.resources.language.keyword": [ "LANG_ENGLISH", "LANG_ENGLISH", "LANG_ENGLISH", "LANG_ENGLISH", "LANG_ENGLISH", "LANG_ENGLISH" ], "results.workers.iocextract.domain.keyword": [ "rs.cg", "k2.la", "07.cu", "qy.gn", "btr.do", "jny.ax", "lo.ai", "yr.hm", "m7.si", "h4.tc", "cb.mt", "p-.su", "vyrae.vg", "il.lt", "g4.mp", "bq.us", "uo.ao", "xne.mo", "tw.st", "er.ls", "1b9.wf", "0z.kn", "dh.bn", "8i.tw", "js.ga", "ij9.ar", "l7.sr", "d3.mu", "cn.gn", "sp.nr", "ve.km", "dr.fm", "ww.tn", "o1s.cw", "oh.gq", "ql.tt", "y7.aq", "vw.re", "mc.tj", "v-.de", "ja2.cr", "4r.mg", "j3.sa", "xb.gl", "cu.mm", "4c.om", "lk.cd", "eg.gr", "wx.mq", "xk.bd", "bn.hr", "1j.bi", "b4.by", "zl.eg", "nv.ro", "8s.nl", "bx.bd", "qaguz.bj", "iw.zm", "ne.mo", "vn.ng", "il.zw", "gy.sg", "udt.za", "d8.lt", "y3.dz", "o33.wf", "ip.bw", "ys.mo", "jm.ch", "ojv5.kr", "a6.bm", "8g.tr", "sh.nr", "nqj.bd", "vwt.gg", "4hz.dj", "jq.ht", "d0.gw", "tin.et", "og.cw", "u6.km", "zv.vn", "fg.re", "xh.it", "i7.py", "j3.rs", "fo.mz", "u2.sj", "ug.mn", "hb.ag", "ke.us", "usc.my", "rw.bg", "2h.ai", "dj.ch", "9dp.fj", "y2.to", "2s.mc", "pldds.hr", "rd.bm", "vx.ki", "-q.gs", "l-.pg", "o4.to", "zq.eg", "wi.cn", "no.ss", "8r.mv", "o3.eu", "6f.kr", "fm.gg", "u7e.st", "epek.li", "jk.co", "az.ae", "fs.mw", "8g.ad", "rm.zm", "lv.ki", "iua.ai", "dd.kp", "0e.ch", "gt.sx", "ss.sc", "xqv.tc", "qg.qa", "09.mx", "tjv.sk", "0l.re", "ci-.jo", "nfm.sa", "l8.se", "5fht.am", "oqh.bw", "aw.bg", "run.mo", "zz.fm", "ui.tc", "vy.cv", "gl.dj", "zfy.ss", "sf.bn", "4jn.cy", "eq1.tr", "m8.gl", "uaz.jm", "d7o.sg", "ec.ao", "ji.il", "7a.ga", "j7.ye", "9g.gl", "pf.mr", "9i.mc", "cf.bd", "lvp.fo", "oe.rw", "dx.ki", "0bcb.su", "do.ro", "tg.qa", "xd.zw", "be.pe", "zk.hu", "rb.me", "si.ss", "nwcc.es", "lj.vu", "qv.ca", "jm.gq", "ot.gs", "ig.mt", "as.af", "py.sc", "5e.cw", "bd.vu", "2twp.si", "x3h.pn", "y8-l.vi", "44xe.is", "a6.tw", "gpg.mn", "sm.cf", "ot.ve", "a0y4.ng", "wu.np", "mo.rs", "fs.cz", "wpdh.pw", "1m.cm", "hg.nz", "ss.gr", "ia.sl", "8q.bt", "6m.fm", "rp.nc", "pk.gi", "z5.je", "pvrh0p.ax", "k4.gu", "be.se", "b4s.je", "tc.ht", "uh.sk", "1n.cg", "l1.sc", "8c.py", "qz.sg", "yu.de", "dt.vc", "yki.jp", "53.cv", "g6.lk", "0r.kz", "qp.sl", "cd.pf", "sm.bm", "rg.ai", "n8.gy", "yyk.vi", "pnxs.rw", "p-.li", "vg-.gf", "1u6.ck", "bn.vi", "a3s.vg", "qy.am", "ck.kz", "rf.cn", "bj.es", "wn.im", "qb.mh", "vd.cd", "3d.gh", "rp.gw", "soolni.mz", "l6.ma", "fz.hu", "aa.cal", "y2.gi", "d9i.et", "z2.tz", "fbk.me", "eu1.bd", "xl.ma", "br.se", "3c.td", "nz.sn", "kmzq.au", "fjzl.kn", "wj.cg", "iphar.nf", "yuv.ma", "3nh.fk", "pv.ph", "r-p.nr", "db.us", "lf.bg", "o-.lu" ], "results.workers.peinfo.image_base.image_base_string.keyword": [ "0x140000000" ], "results.workers.peinfo.debug_info.Type": [ 2 ], "results.workers.peinfo.resources.resource_type": [ "IMAGE_RESOURCE_DATA_ENTRY", "IMAGE_RESOURCE_DATA_ENTRY", "IMAGE_RESOURCE_DATA_ENTRY", "IMAGE_RESOURCE_DATA_ENTRY", "IMAGE_RESOURCE_DATA_ENTRY", "IMAGE_RESOURCE_DATA_ENTRY" ], "results.workers.peinfo.debug_info.SizeOfData": [ 47 ], "time": [ "2022-06-08T21:51:54.163Z" ], "results.workers.hash_ssdeep.ssdeep.keyword": [ "1572864:AWoCTKXRk8c1wh7Xao+1tgGL0Fgru/vGT/k2ST1sIj0MoRqm4ap/QU9Yh2Mb:dKhx5XarrLwV3Gw2SRsRlD9QUysMb" ], "scan_id": [ "b88b0f9e-5d61-4c5c-b4e5-f54d7e5d92fe" ], "results.workers.peinfo.debug_info.DebugGUID.keyword": [ "b'd2301cb2'-b'760b3877'-b'4c4c4420'-b'5044422e'" ] } }