Loading ...

Play interactive tourEdit tour

Analysis Report MsBDqyJWav.exe

Overview

General Information

Sample Name:MsBDqyJWav.exe
Analysis ID:373104
MD5:a8494234809fa10a098a5368d8d1cdb5
SHA1:c448839c67ad321505e91a8abeff5f68f8bd3244
SHA256:04db0b6b37fcd16563eaeb06996b2ab0c676f53cb1445d9b40eb46fa2c38c641
Tags:AdwareEorezoexe
Infos:

Most interesting Screenshot:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Vidar stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
May check the online IP address of the machine
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • MsBDqyJWav.exe (PID: 6892 cmdline: 'C:\Users\user\Desktop\MsBDqyJWav.exe' MD5: A8494234809FA10A098A5368D8D1CDB5)
    • MsBDqyJWav.tmp (PID: 6908 cmdline: 'C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmp' /SL5='$D0262,898740,56832,C:\Users\user\Desktop\MsBDqyJWav.exe' MD5: FFCF263A020AA7794015AF0EDEE5DF0B)
      • Setup.exe (PID: 7124 cmdline: 'C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exe' /VERYSILENT MD5: 121B03B80D008B3989D8F7D454BF437C)
        • cmd.exe (PID: 6320 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q 'C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exe' & del C:\ProgramData\*.dll & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • taskkill.exe (PID: 4680 cmdline: taskkill /im Setup.exe /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
          • timeout.exe (PID: 4532 cmdline: timeout /t 6 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup

Malware Configuration

Threatname: Vidar

{"Config: ": ["00000000 -> Version: 38", "Date: Mon Mar 22 18:52:48 2021", "MachineID: d06ed635-68f6-4e9a-955c-4899f5f57b9a", "GUID: {e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}", "HWID: d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963", "Path: C:\\Users\\user\\AppData\\Local\\Temp\\is-KUC5O.tmp\\Setup.exe", "Work Dir: C:\\\\ProgramData\\\\XKXCRS65ADTI5SZX0R5RDTMSN", "Windows: Windows 10 Pro [x64]", "Computer Name: 610930", "User Name: user", "Display Resolution: 1280x1024", "Display Language: en-US", "Keyboard Languages: English (United States)", "Local Time: 22/3/2021 18:52:48", "TimeZone: UTC-8", "[Hardware]", "Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "CPU Count: 4", "RAM: 8191 MB", "VideoCard: Microsoft Basic Display Adapter", "[Processes]", "---------- System [4]", "------------------------------  Registry [88]", "-  smss.exe [296]", "-  csrss.exe [388]", "-  wininit.exe [468]", "-  csrss.exe [480]", "-  services.exe [560]", "-  winlogon.exe [568]", "-  lsass.exe [588]", "-  fontdrvhost.exe [688]", "-  fontdrvhost.exe [696]", "-  svchost.exe [716]", "-  svchost.exe [792]", "-  svchost.exe [840]", "-  svchost.exe [892]", "-  dwm.exe [960]", "-  svchost.exe [332]", "-  svchost.exe [344]", "-  svchost.exe [372]", "-  svchost.exe [936]", "-  svchost.exe [1060]", "-  svchost.exe [1128]", "-  svchost.exe [1200]", "-  svchost.exe [1248]", "-  svchost.exe [1300]", "-  svchost.exe [1312]", "-  svchost.exe [1332]", "-  svchost.exe [1392]", "-  Memory Compression [1400]", "-  svchost.exe [1440]", "-  svchost.exe [1488]", "-  svchost.exe [1496]", "-  svchost.exe [1528]", "-  svchost.exe [1588]", "-  svchost.exe [1660]", "-  svchost.exe [1668]", "-  svchost.exe [1712]", "-  svchost.exe [1728]", "-  svchost.exe [1796]", "-  svchost.exe [1852]", "-  svchost.exe [1884]", "-  svchost.exe [1892]", "-  spoolsv.exe [1976]", "-  svchost.exe [2016]", "-  svchost.exe [1596]", "-  svchost.exe [2056]", "-  svchost.exe [2064]", "-  svchost.exe [2164]", "-  svchost.exe [2172]", "-  svchost.exe [2180]", "-  svchost.exe [2216]", "-  svchost.exe [2224]", "-  svchost.exe [2236]", "-  svchost.exe [2256]", "-  svchost.exe [2364]", "-  svchost.exe [2440]", "-  svchost.exe [2504]", "-  sihost.exe [2080]", "-  svchost.exe [2544]", "-  svchost.exe [1188]", "-  taskhostw.exe [3144]", "-  svchost.exe [3260]", "---------- ctfmon.exe [3300]", "-  explorer.exe [3440]", "-  smartscreen.exe [3560]", "-  svchost.exe [3720]", "-  dllhost.exe [3840]", "-  ShellExperienceHost.exe [4088]", "-  SearchUI.exe [3276]", "-  RuntimeBroker.exe [3092]", "-  RuntimeBroker.exe [4252]", "-  svchost.exe [4420]", "-  RuntimeBroker.exe [4572]", "-  RuntimeBroker.exe [4636]", "-  WmiPrvSE.exe [4920]", "-  dllhost.exe [4784]", "-  WmiPrvSE.exe [4908]", "-  svchost.exe [1144]", "-  SgrmBroker.exe [1752]", "-  svchost.exe [5104]", "-  svchost.exe [2248]", "-  svchost.exe [2872]", "-  WmiPrvSE.exe [496]", "-  msiexec.exe [980]", "-  svchost.exe [4592]", "-  svchost.exe [2436]", "-  svchost.exe [5112]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5196]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5208]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5220]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5228]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5236]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5244]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5252]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5264]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5272]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5280]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5292]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5304]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5312]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5320]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5332]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5340]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5348]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5360]", "-  yxfXGUiRFsbWKTHLRLkAVEMt.exe [5368]", "-  svchost.exe [5636]", "-  wermgr.exe [5644]", "-  MusNotifyIcon.exe [5860]", "-  svchost.exe [5884]", "-  conhost.exe [6068]", "-  svchost.exe [5780]", "-  RuntimeBroker.exe [5108]", "-  UsoClient.exe [5976]", "-  backgroundTaskHost.exe [4632]", "-  backgroundTaskHost.exe [4892]", "-  svchost.exe [4972]", "-  RuntimeBroker.exe [6228]", "-  svchost.exe [6400]", "-  Setup.exe [7124]", "-  svchost.exe [7144]", "[Software]", "Google Chrome [85.0.4183.121]", "Microsoft Office Professional Plus 2016 [16.0.4266.1001]", "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 [12.0.30501.0]", "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 [12.0.21005]", "Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 [10.0.30319]", "Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 [14.21.27702]", "Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 [14.21.27702]", "Java 8 Update 211 [8.0.2110.12]", "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 [11.0.61030.0]", "Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 [14.21.27702.2]", "Java Auto Updater [2.8.211.12]", "Google Update Helper [1.3.35.451]", "Microsoft Office Professional Plus 2016 [16.0.4266.1001]", "Security Update for Microsoft Office 2016 (KB3114690) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920712) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3141456) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3115081) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920717) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114852) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920720) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4022161) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3128012) 32-Bit EditionSecurity Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionSecurity Update for Microsoft PowerPoint 2016 (KB4484246) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3118263) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4022176) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114528) 32-Bit EditionSecurity Update for Microsoft Visio 2016 (KB4484244) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484287) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3118262) 32-Bit EditionUpdate for Skype for Business 2016 (KB4484286) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484214) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4011574) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3213650) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4462119) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4032236) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3085538) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484138) 32-Bit EditionDefinition Update for Microsoft Office 2016 (KB3115407) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920678) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475580) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484248) 32-Bit EditionSecurity Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionSecurity Update for Microsoft Publisher 2016 (KB4011097) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464586) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464538) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4461435) 32-Bit EditionSecurity Update for Microsoft Outlook 2016 (KB4484274) 32-Bit EditionSecurity Update for Microsoft Project 2016 (KB4484269) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3191929) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011259) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464535) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB2920727) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114903) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920724) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484101) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3118264) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011629) 32-Bit EditionSecurity Update for Microsoft Access 2016 (KB4484167) 32-Bit EditionUpdate for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4032254) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011225) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484106) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4022193) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011634) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484258) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3178666) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011669) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475588) 32-Bit EditionUpdate for Microsoft OneNote 2016 (KB4475586) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3213551) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484145) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3115276) 32-Bit EditionMicrosoft Access MUI (English) 2016 [16.0.4266.1001]", "Microsoft Excel MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011629) 32-Bit EditionMicrosoft PowerPoint MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft PowerPoint 2016 (KB4484246) 32-Bit EditionSecurity Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionMicrosoft Publisher MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Publisher 2016 (KB4011097) 32-Bit EditionMicrosoft Outlook MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionSecurity Update for Microsoft Outlook 2016 (KB4484274) 32-Bit EditionMicrosoft Word MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionSecurity Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionMicrosoft Office Proofing Tools 2016 - English [16.0.4266.1001]", "Update for Microsoft Office 2016 (KB4464538) 32-Bit EditionOutils de v", "0000251f -> rification linguistique 2016 de Microsoft Office", "00002550 -> - Fran", "00002557 -> ais [16.0.4266.1001]", "Update for Microsoft Office 2016 (KB4464538) 32-Bit EditionHerramientas de correcci", "000025c1 -> n de Microsoft Office 2016: espa", "000025e2 -> ol [16.0.4266.1001]", "Update for Microsoft Office 2016 (KB4464538) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114528) 32-Bit EditionUpdate for Skype for Business 2016 (KB4484286) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3213650) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4462119) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3085538) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4022162) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484248) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464586) 32-Bit EditionSecurity Update for Microsoft Project 2016 (KB4484269) 32-Bit EditionUpdate for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484106) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011634) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475588) 32-Bit EditionUpdate for Microsoft OneNote 2016 (KB4475586) 32-Bit EditionUpdate for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionMicrosoft Office Proofing (English) 2016 [16.0.4266.1001]", "Microsoft InfoPath MUI (English) 2016 [16.0.4266.1001]", "Microsoft Office Shared MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Office 2016 (KB4022176) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484214) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4011574) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475580) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484106) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3213551) 32-Bit EditionMicrosoft DCF MUI (English) 2016 [16.0.4266.1001]", "Microsoft OneNote MUI (English) 2016 [16.0.4266.1001]", "Update for Microsoft OneNote 2016 (KB4475586) 32-Bit EditionMicrosoft Groove MUI (English) 2016 [16.0.4266.1001]", "Update for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionMicrosoft Office OSM MUI (English) 2016 [16.0.4266.1001]", "Microsoft Office OSM UX MUI (English) 2016 [16.0.4266.1001]", "Microsoft Office Shared Setup Metadata MUI (English) 2016 [16.0.4266.1001]", "Microsoft Access Setup Metadata MUI (English) 2016 [16.0.4266.1001]", "Microsoft Skype for Business MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionUpdate for Skype for Business 2016 (KB4484286) 32-Bit EditionAdobe Acrobat Reader DC [19.012.20035]", "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 [11.0.61030]", "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 [11.0.61030]", "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 [11.0.61030.0]", "Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 [14.21.27702.2]", "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 [12.0.30501.0]", "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 [12.0.21005]"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.341649176.0000000002660000.00000004.00000001.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    00000004.00000002.360773393.0000000002520000.00000040.00000001.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000004.00000002.360414190.0000000000400000.00000040.00020000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        Process Memory Space: Setup.exe PID: 7124JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: Setup.exe PID: 7124JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.3.Setup.exe.2660000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              4.2.Setup.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                4.2.Setup.exe.2520e50.1.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  4.2.Setup.exe.2520e50.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    4.2.Setup.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://redomad.fun/ww/RunWW.exeAvira URL Cloud: Label: malware
                      Found malware configurationShow sources
                      Source: information.txt.4.dr.binstrMalware Configuration Extractor: Vidar {"Config: ": ["00000000 -> Version: 38", "Date: Mon Mar 22 18:52:48 2021", "MachineID: d06ed635-68f6-4e9a-955c-4899f5f57b9a", "GUID: {e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}", "HWID: d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963", "Path: C:\\Users\\user\\AppData\\Local\\Temp\\is-KUC5O.tmp\\Setup.exe", "Work Dir: C:\\\\ProgramData\\\\XKXCRS65ADTI5SZX0R5RDTMSN", "Windows: Windows 10 Pro [x64]", "Computer Name: 610930", "User Name: user", "Display Resolution: 1280x1024", "Display Language: en-US", "Keyboard Languages: English (United States)", "Local Time: 22/3/2021 18:52:48", "TimeZone: UTC-8", "[Hardware]", "Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "CPU Count: 4", "RAM: 8191 MB", "VideoCard: Microsoft Basic Display Adapter", "[Processes]", "---------- System [4]", "------------------------------ Registry [88]", "- smss.exe [296]", "- csrss.exe [388]", "- wininit.exe [468]", "- csrss.exe [480]", "- services.exe [560]", "- winlogon.exe [568]", "- lsass.exe [588]", "- fontdrvhost.exe [688]", "- fontdrvhost.exe [696]", "- svchost.exe [716]", "- svchost.exe [792]", "- svchost.exe [840]", "- svchost.exe [892]", "- dwm.exe [960]", "- svchost.exe [332]", "- svchost.exe [344]", "- svchost.exe [372]", "- svchost.exe [936]", "- svchost.exe [1060]", "- svchost.exe [1128]", "- svchost.exe [1200]", "- svchost.exe [1248]", "- svchost.exe [1300]", "- svchost.exe [1312]", "- svchost.exe [1332]", "- svchost.exe [1392]", "- Memory Compression [1400]", "- svchost.exe [1440]", "- svchost.exe [1488]", "- svchost.exe [1496]", "- svchost.exe [1528]", "- svchost.exe [1588]", "- svchost.exe [1660]", "- svchost.exe [1668]", "- svchost.exe [1712]", "- svchost.exe [1728]", "- svchost.exe [1796]", "- svchost.exe [1852]", "- svchost.exe [1884]", "- svchost.exe [1892]", "- spoolsv.exe [1976]", "- svchost.exe [2016]", "- svchost.exe [1596]", "- svchost.exe [2056]", "- svchost.exe [2064]", "- svchost.exe [2164]", "- svchost.exe [2172]", "- svchost.exe [2180]", "- svchost.exe [2216]", "- svchost.exe [2224]", "- svchost.exe [2236]", "- svchost.exe [2256]", "- svchost.exe [2364]", "- svchost.exe [2440]", "- svchost.exe [2504]", "- sihost.exe [2080]", "- svchost.exe [2544]", "- svchost.exe [1188]", "- taskhostw.exe [3144]", "- svchost.exe [3260]", "---------- ctfmon.exe [3300]", "- explorer.exe [3440]", "- smartscreen.exe [3560]", "- svchost.exe [3720]", "- dllhost.exe [3840]", "- ShellExperienceHost.exe [4088]", "- SearchUI.exe [3276]", "- RuntimeBroker.exe [3092]", "- RuntimeBroker.exe [4252]", "- svchost.exe [4420]", "- RuntimeBroker.exe [4572]", "- RuntimeBroker.exe [4636]", "- WmiPrvSE.exe [4920]", "- dllhost.exe [4784]", "- WmiPrvSE.exe [4908]", "- svchost.exe [1144]", "- SgrmBroker.exe [1752]", "- svchost.exe [5104]", "- svchost.exe [2248]", "- svchost.exe [2872]", "- WmiPrvSE.exe [496]", "- msiexec.exe [980]", "- svchost.exe [4592]", "- svchost.exe [2436]", "- svchost.exe [5
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: MsBDqyJWav.exeVirustotal: Detection: 50%Perma Link
                      Source: MsBDqyJWav.exeReversingLabs: Detection: 60%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeJoe Sandbox ML: detected
                      Source: 1.2.MsBDqyJWav.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 2.2.MsBDqyJWav.tmp.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 4.2.Setup.exe.2520e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 4.3.Setup.exe.2660000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeCode function: 4_2_0040A712 CryptUnprotectData,LocalAlloc,_memmove,LocalFree,4_2_0040A712
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeCode function: 4_2_0040A517 _memset,CryptStringToBinaryA,_memmove,lstrcatA,lstrcatA,4_2_0040A517
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeCode function: 4_2_0040A6AF CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,4_2_0040A6AF
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeCode function: 4_2_00402727 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,4_2_00402727
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeCode function: 4_2_0040A829 _malloc,_memmove,_malloc,CryptUnprotectData,_memmove,4_2_0040A829

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeUnpacked PE file: 4.2.Setup.exe.400000.0.unpack
                      Source: MsBDqyJWav.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: unknownHTTPS traffic detected: 216.239.34.21:443 -> 192.168.2.6:49716 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.72.12:443 -> 192.168.2.6:49718 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.17.62.50:443 -> 192.168.2.6:49726 version: TLS 1.2
                      Source: MsBDqyJWav.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3[1].dll.4.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3[1].dll.4.dr
                      Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.4.dr
                      Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.4.dr
                      Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140[1].dll.4.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: mozglue[1].dll.4.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3[1].dll.4.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: mozglue[1].dll.4.dr
                      Source: Binary string: msvcp140.i386.pdb source: msvcp140[1].dll.4.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.4.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3[1].dll.4.dr
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_00452AD4 FindFirstFileA,GetLastError,2_2_00452AD4
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_0046417C
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_004645F8
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,2_2_00462BF0
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,2_2_00498FDC
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_00475798 FindFirstFileA,FindNextFileA,FindClose,2_2_00475798
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeCode function: 4_2_0040E7E9 _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose,4_2_0040E7E9
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeCode function: 4_2_0045E8D3 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,4_2_0045E8D3
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeCode function: 4_2_004053B0 __EH_prolog3,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose,4_2_004053B0
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeCode function: 4_2_00405C01 __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,FindNextFileA,FindClose,4_2_00405C01
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeCode function: 4_2_00405EB1 _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok,4_2_00405EB1
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpDNS query: name: ipinfo.io
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpDNS query: name: ipinfo.io
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpDNS query: name: ipinfo.io
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpDNS query: name: ipinfo.io
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 22 Mar 2021 17:52:40 GMTServer: Apache/2.4.18 (Ubuntu)Last-Modified: Mon, 22 Mar 2021 17:50:03 GMTETag: "93c00-5be23b200b518"Accept-Ranges: bytesContent-Length: 605184Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 76 b8 a5 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 44 08 00 00 f2 3f 00 00 00 00 00 1c 20 00 00 00 10 00 00 00 60 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 60 48 00 00 04 00 00 f2 2b 0a 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 a2 47 00 7b 00 00 00 fc 96 47 00 3c 00 00 00 00 b0 47 00 78 a1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 8f 47 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 47 00 f8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 00 d6 3e 00 00 60 08 00 00 18 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6f 6a 65 66 00 00 01 00 00 00 00 40 47 00 00 02 00 00 00 60 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 66 6f 64 00 00 00 00 79 11 00 00 00 50 47 00 00 04 00 00 00 62 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 65 77 00 00 00 00 1b 33 00 00 00 70 47 00 00 34 00 00 00 66 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 a1 00 00 00 b0 47 00 00 a2 00 00 00 9a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 22 Mar 2021 17:52:46 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Tue, 23 Mar 2021 17:52:46 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 22 Mar 2021 17:52:46 GMTContent-Type: application/x-msdos-programContent-Length: 137168Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "217d0-57aa1f0b0df80"Expires: Tue, 23 Mar 2021 17:52:46 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 22 Mar 2021 17:52:46 GMTContent-Type: application/x-msdos-programContent-Length: 440120Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "6b738-57aa1f0b0df80"Expires: Tue, 23 Mar 2021 17:52:46 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 22 Mar 2021 17:52:47 GMTContent-Type: application/x-msdos-programContent-Length: 1246160Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "1303d0-57aa1f0b0df80"Expires: Tue, 23 Mar 2021 17:52:47 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 22 Mar 2021 17:52:48 GMTContent-Type: application/x-msdos-programContent-Length: 144848Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "235d0-57aa1f0b0df80"Expires: Tue, 23 Mar 2021 17:52:48 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 22 Mar 2021 17:52:48 GMTContent-Type: application/x-msdos-programContent-Length: 83784Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "14748-57aa1f0b0df80"Expires: Tue, 23 Mar 2021 17:52:48 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: POST /827 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: juhjuh.comConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: juhjuh.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: juhjuh.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: juhjuh.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: juhjuh.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: juhjuh.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: juhjuh.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 4962Host: juhjuh.comConnection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 104.17.62.50 104.17.62.50
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeCode function: 4_2_00404F59 __EH_prolog3,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,4_2_00404F59
                      Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /ww/RunWW.exe HTTP/1.0Host: redomad.funUser-Agent: InnoTools_Downloader
                      Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: juhjuh.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: juhjuh.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: juhjuh.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: juhjuh.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: juhjuh.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: juhjuh.comConnection: Keep-Alive
                      Source: Setup.exe, 00000004.00000003.349928316.0000000003341000.00000004.00000001.sdmpString found in binary or memory: not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java-bean","application/x-java-bean;jpi-version=1.7.0_05","application/x-java-bean;version=1.1","application/x-java-bean;version=1.1.1","application/x-java-bean;version=1.1.2","application/x-java-bean;version=1.1.3","application/x-java-bean;version=1.2","application/x-java-bean;version=1.2.1","application/x-java-bean;version=1.2.2","application/x-java-bean;version=1.3","application/x-java-bean;version=1.3.1","application/x-java-bean;version=1.4","application/x-java-bean;version=1.4.1","application/x-java-bean;version=1.4.2","application/x-java-bean;version=1.5","application/x-java-bean;version=1.6","application/x-java-bean;version=1.7","application/x-java-vm","application/x-java-vm-npruntime"],"name":"IBM Java","versions":[]},"java-
                      Source: unknownDNS traffic detected: queries for: ipinfo.io
                      Source: unknownHTTP traffic detected: POST /827 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: juhjuh.comConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: MsBDqyJWav.tmp, 00000002.00000002.340348104.0000000000832000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: softokn3[1].dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: softokn3[1].dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: MsBDqyJWav.tmp, 00000002.00000002.340348104.0000000000832000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.diy
                      Source: Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.geotrust.com/GeoTrustRSACA2018.crt0
                      Source: Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmpString found in binary or memory: http://cdp.geotrust.com/GeoTrustRSACA2018.crl0L
                      Source: MsBDqyJWav.tmp, 00000002.00000002.340348104.0000000000832000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: MsBDqyJWav.tmp, 00000002.00000003.339507793.0000000000814000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1D2.crl0
                      Source: MsBDqyJWav.tmp, 00000002.00000003.339507793.0000000000814000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                      Source: softokn3[1].dll.4.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                      Source: MsBDqyJWav.tmp, 00000002.00000002.340348104.0000000000832000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: softokn3[1].dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: MsBDqyJWav.tmp, 00000002.00000002.340348104.0000000000832000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: softokn3[1].dll.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: MsBDqyJWav.tmp, 00000002.00000002.340348104.0000000000832000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: softokn3[1].dll.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: softokn3[1].dll.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                      Source: Setup.exe, 00000004.00000003.349928316.0000000003341000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                      Source: MsBDqyJWav.exe, 00000001.00000003.326457846.0000000002310000.00000004.00000001.sdmp, MsBDqyJWav.tmp, 00000002.00000002.340424851.0000000002147000.00000004.00000001.sdmpString found in binary or memory: http://ipinfo.io/country
                      Source: MsBDqyJWav.exe, 00000001.00000003.326457846.0000000002310000.00000004.00000001.sdmp, MsBDqyJWav.tmp, 00000002.00000002.340424851.0000000002147000.00000004.00000001.sdmp, MsBDqyJWav.tmp, 00000002.00000002.340348104.0000000000832000.00000004.00000020.sdmp, MsBDqyJWav.tmp, 00000002.00000002.340278377.00000000007A8000.00000004.00000020.sdmpString found in binary or memory: http://ipinfo.io/ip
                      Source: MsBDqyJWav.tmp, 00000002.00000002.340348104.0000000000832000.00000004.00000020.sdmpString found in binary or memory: http://ipinfo.io/p;
                      Source: MsBDqyJWav.tmp, 00000002.00000002.340348104.0000000000832000.00000004.00000020.sdmpString found in binary or memory: http://ipinfo.io:80/ipP.DMIO:ID:
                      Source: Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmpString found in binary or memory: http://juhjuh.com/
                      Source: Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmpString found in binary or memory: http://juhjuh.com/1V
                      Source: Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmpString found in binary or memory: http://juhjuh.com/827
                      Source: Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmpString found in binary or memory: http://juhjuh.com/827sq#l
                      Source: Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmpString found in binary or memory: http://juhjuh.com/freebl3.dll
                      Source: Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmpString found in binary or memory: http://juhjuh.com/mozglue.dll
                      Source: Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmpString found in binary or memory: http://juhjuh.com/mozglue.dllPO
                      Source: Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmpString found in binary or memory: http://juhjuh.com/msvcp140.dll
                      Source: Setup.exe, 00000004.00000002.366356378.0000000003120000.00000004.00000001.sdmpString found in binary or memory: http://juhjuh.com/nss3.dV
                      Source: Setup.exe, 00000004.00000002.360695187.0000000000AF7000.00000004.00000001.sdmpString found in binary or memory: http://juhjuh.com/nss3.dll
                      Source: Setup.exe, 00000004.00000002.360714694.0000000000B27000.00000004.00000001.sdmpString found in binary or memory: http://juhjuh.com/nss3.dll_
                      Source: Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmpString found in binary or memory: http://juhjuh.com/softokn3.dll
                      Source: Setup.exe, 00000004.00000002.360695187.0000000000AF7000.00000004.00000001.sdmpString found in binary or memory: http://juhjuh.com/vcruntime140.dll(
                      Source: Setup.exe, 00000004.00000002.360695187.0000000000AF7000.00000004.00000001.sdmpString found in binary or memory: http://juhjuh.com/vcruntime140.dllJ
                      Source: MsBDqyJWav.tmp, 00000002.00000002.340348104.0000000000832000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: MsBDqyJWav.tmp, 00000002.00000002.340348104.0000000000832000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                      Source: softokn3[1].dll.4.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: softokn3[1].dll.4.drString found in binary or memory: http://ocsp.digicert.com0N
                      Source: MsBDqyJWav.tmp, 00000002.00000003.339507793.0000000000814000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
                      Source: MsBDqyJWav.tmp, 00000002.00000003.339507793.0000000000814000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1d20
                      Source: softokn3[1].dll.4.drString found in binary or memory: http://ocsp.thawte.com0
                      Source: MsBDqyJWav.tmp, 00000002.00000003.339507793.0000000000814000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1D2.crt0
                      Source: MsBDqyJWav.exe, 00000001.00000003.326457846.0000000002310000.00000004.00000001.sdmp, MsBDqyJWav.tmp, 00000002.00000002.340424851.0000000002147000.00000004.00000001.sdmpString found in binary or memory: http://redomad.fun/ww/RunWW.exe
                      Source: Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmpString found in binary or memory: http://status.geotrust.com0=
                      Source: softokn3[1].dll.4.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                      Source: softokn3[1].dll.4.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                      Source: softokn3[1].dll.4.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                      Source: Setup.exe, 00000004.00000003.349928316.0000000003341000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                      Source: MsBDqyJWav.tmp, MsBDqyJWav.tmp, 00000002.00000002.340045365.0000000000401000.00000020.00020000.sdmp, MsBDqyJWav.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                      Source: Setup.exe, 00000004.00000003.349928316.0000000003341000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                      Source: MsBDqyJWav.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                      Source: MsBDqyJWav.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                      Source: mozglue[1].dll.4.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                      Source: softokn3[1].dll.4.drString found in binary or memory: http://www.mozilla.com0
                      Source: MsBDqyJWav.exe, 00000001.00000003.326795385.0000000002080000.00000004.00000001.sdmp, MsBDqyJWav.tmp, MsBDqyJWav.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
                      Source: MsBDqyJWav.exe, 00000001.00000003.326795385.0000000002080000.00000004.00000001.sdmp, MsBDqyJWav.tmp, 00000002.00000002.340045365.0000000000401000.00000020.00020000.sdmp, MsBDqyJWav.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
                      Source: Setup.exe, 00000004.00000002.366457153.00000000031F6000.00000004.00000001.sdmp, temp.4.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: Setup.exe, 00000004.00000002.360695187.0000000000AF7000.00000004.00000001.sdmpString found in binary or memory: https://api.faceit.com/
                      Source: Setup.exe, 00000004.00000002.360695187.0000000000AF7000.00000004.00000001.sdmpString found in binary or memory: https://api.faceit.com/(
                      Source: Setup.exe, 00000004.00000002.360695187.0000000000AF7000.00000004.00000001.sdmpString found in binary or memory: https://api.faceit.com/core/v1/nicknames/sergeevih
                      Source: Setup.exe, 00000004.00000002.366457153.00000000031F6000.00000004.00000001.sdmp, temp.4.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: Setup.exe, 00000004.00000002.366457153.00000000031F6000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                      Source: temp.4.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: Setup.exe, 00000004.00000002.366457153.00000000031F6000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrom
                      Source: temp.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: temp.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtabSQLite
                      Source: temp.4.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: MsBDqyJWav.tmp, 00000002.00000003.339507793.0000000000814000.00000004.00000001.sdmpString found in binary or memory: https://ipinfo.io/country9
                      Source: MsBDqyJWav.tmp, 00000002.00000002.340424851.0000000002147000.00000004.00000001.sdmpString found in binary or memory: https://ipqualityscore.com/api/json/ip/gp65l99h87k3l1g0owh8fr8v99dme/
                      Source: MsBDqyJWav.tmp, 00000002.00000002.340456871.0000000002192000.00000004.00000001.sdmpString found in binary or memory: https://ipqualityscore.com/api/json/ip/gp65l99h87k3l1g0owh8fr8v99dme/84.17.52.78
                      Source: MsBDqyJWav.tmp, 00000002.00000003.339507793.0000000000814000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
                      Source: MsBDqyJWav.tmp, 00000002.00000002.340348104.0000000000832000.00000004.00000020.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: Setup.exe, 00000004.00000002.366457153.00000000031F6000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com
                      Source: temp.4.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: Setup.exe, 00000004.00000002.366457153.00000000031F6000.00000004.00000001.sdmp, temp.4.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: Setup.exe, 00000004.00000003.349928316.0000000003341000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                      Source: Setup.exe, 00000004.00000003.349928316.0000000003341000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                      Source: Setup.exe, 00000004.00000003.349928316.0000000003341000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                      Source: MsBDqyJWav.tmp, 00000002.00000003.339507793.0000000000814000.00000004.00000001.sdmpString found in binary or memory: https://wanfo.io/
                      Source: MsBDqyJWav.tmp, 00000002.00000003.339507793.0000000000814000.00000004.00000001.sdmp, Setup.exe, 00000004.00000002.360725941.0000000000B44000.00000004.00000001.sdmp, softokn3[1].dll.4.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: Setup.exe, 00000004.00000002.366457153.00000000031F6000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/goog
                      Source: temp.4.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                      Source: unknownHTTPS traffic detected: 216.239.34.21:443 -> 192.168.2.6:49716 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.72.12:443 -> 192.168.2.6:49718 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.17.62.50:443 -> 192.168.2.6:49726 version: TLS 1.2
                      Source: Setup.exe, 00000004.00000002.360642719.0000000000A7A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_0042F594 NtdllDefWindowProc_A,2_2_0042F594
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_00423B94 NtdllDefWindowProc_A,2_2_00423B94
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_004125E8 NtdllDefWindowProc_A,2_2_004125E8
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_00479380 NtdllDefWindowProc_A,2_2_00479380
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_0045763C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,2_2_0045763C
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,2_2_0042E944
                      Source: C:\Users\user\Desktop\MsBDqyJWav.exeCode function: 1_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00409448
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_0045568C
                      Source: C:\Users\user\Desktop\MsBDqyJWav.exeCode function: 1_2_0040840C1_2_0040840C
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_00444AE42_2_00444AE4
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_0048ED0C2_2_0048ED0C
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_0043533C2_2_0043533C
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_004813C42_2_004813C4
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_004678482_2_00467848
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_004303D02_2_004303D0
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_0044453C2_2_0044453C
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_004885E02_2_004885E0
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_004346382_2_00434638
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_00470C742_2_00470C74
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_00430F5C2_2_00430F5C
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_0045F16C2_2_0045F16C
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_004451DC2_2_004451DC
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_0045B21C2_2_0045B21C
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_004455E82_2_004455E8
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_004876802_2_00487680
                      Source: C:\Users\user\AppData\Local\Temp\is-6E6PV.tmp\MsBDqyJWav.tmpCode function: 2_2_0046989C2_2_0046989C
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeCode function: 4_2_0043E9904_2_0043E990
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeCode function: 4_2_00461E6C4_2_00461E6C
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exeCode function: 4_2_0044228A4_2_0044228A
                      Source: C:\Users\user\AppData\Local\Temp\is-KUC5O.tmp\Setup.exe